- Observability: other versions:
- Get started
- What is Elastic Observability?
- What’s new in 8.17
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Add data from Splunk
- Applications and services
- Application performance monitoring (APM)
- Get started
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Manage storage
- Configure APM Server
- Monitor APM Server
- APM APIs
- Troubleshooting
- Upgrade
- Release notes
- Known issues
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure projects
- Multi-factor Authentication
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Use Synthetics with traffic filters
- Migrate from the Elastic Synthetics integration
- Scale and architect a deployment
- Synthetics support matrix
- Synthetics Encryption and Security
- Troubleshooting
- Real user monitoring
- Uptime monitoring (deprecated)
- Tutorial: Monitor a Java application
- Application performance monitoring (APM)
- CI/CD
- Cloud
- Infrastructure and hosts
- Logs
- Troubleshooting
- Incident management
- Data set quality
- Observability AI Assistant
- Reference
Grant access using API keys
editGrant access using API keys
editInstead of using usernames and passwords, you can use API keys to grant
access to Elasticsearch resources. You can set API keys to expire at a certain time,
and you can explicitly invalidate them. Any user with the manage_api_key
or manage_own_api_key
cluster privilege can create API keys.
APM Server instances typically send both collected data and monitoring information to Elasticsearch. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
For security reasons, we recommend using a unique API key per APM Server instance. You can create as many API keys per user as necessary.
Create an API key for writing events
editTo create an API key:
- Go to Stack Management in the main menu and find API Keys or use the global search field.
-
Click Create API key.
-
Enter a name for your API key and select Restrict privileges. In the role descriptors box, assign the appropriate privileges to the new API key. For example:
{ "apm_writer": { "cluster": ["monitor"], "index": [ { "names": ["traces-apm*","logs-apm*", "metrics-apm*"], "privileges": ["auto_configure", "create_doc"] } ] }, "apm_sourcemap": { "index": [ { "names": [".apm-source-map"], "privileges": ["read"] } ] }, "apm_agentcfg": { "index": [ { "names": [".apm-agent-configuration"], "privileges": ["read"], "allow_restricted_indices": true } ] } }
This example only provides privileges for writing data. See Use feature roles for additional privileges and information.
- To set an expiration date for the API key, select Expire after time and input the lifetime of the API key in days.
-
Click Create API key.
-
You must set the API key to be configured to Beats. Immediately after the API key is generated and while it is still being displayed, click the Encoded button next to the API key and select Beats from the list in the tooltip. Base64 encoded API keys are not currently supported in this configuration.
You can now use this API key in your apm-server.yml
configuration file:
Create an API key for monitoring
editTo open API keys, find Stack Management in the main menu or use the global search field. Click Create API key.
Enter a name for your API key and select Restrict privileges. In the role descriptors box, assign the appropriate privileges to the new API key. For example:
{ "apm_monitoring": { "index": [ { "names": [".monitoring-beats-*"], "privileges": ["create_index", "create_doc"] } ] } }
This example only provides privileges for publishing monitoring data. See Use feature roles for additional privileges and information.
To set an expiration date for the API key, select Expire after time and input the lifetime of the API key in days.
Click Create API key. In the dropdown, switch to Beats and copy the API key.
You can now use this API key in your apm-server.yml
configuration file like this:
Create an API key with Elasticsearch APIs
editYou can also use Elasticsearch’s Create API key API to create a new API key. For example:
POST /_security/api_key { "name": "apm_host001", "role_descriptors": { "apm_writer": { "cluster": ["monitor"], "index": [ { "names": ["traces-apm*","logs-apm*", "metrics-apm*"], "privileges": ["auto_configure", "create_doc"] } ] }, "apm_sourcemap": { "index": [ { "names": [".apm-source-map"], "privileges": ["read"] } ] }, "apm_agentcfg": { "index": [ { "names": [".apm-agent-configuration"], "privileges": ["read"], "allow_restricted_indices": true } ] } } }
Name of the API key |
|
Granted privileges, see Use feature roles |
See the Create API key reference for more information.
Learn more about API keys
editSee the Elasticsearch API key documentation for more information:
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now