- Welcome to Elastic serverless
- Elasticsearch
- Serverless differences
- Elasticsearch billing dimensions
- Get started
- Connect to your endpoint
- Client libraries
- Get started with the serverless Go client
- Get started with the serverless Java client
- Get started with the serverless .NET client
- Get started with the serverless Node.js client
- Get started with the serverless PHP client
- Get started with the serverless Python client
- Get started with the serverless Ruby client
- REST APIs
- Developer tools
- Ingest your data
- Search your data
- Explore your data
- Playground
- Elastic Observability
- Observability overview
- Quickstarts
- Observability billing dimensions
- Create an Observability project
- Log monitoring
- Inventory
- Application performance monitoring (APM)
- Get started with traces and APM
- Send APM data to Elastic
- View and analyze traces
- APM data types
- Distributed tracing
- Reduce your data usage
- Keep APM data secure
- Troubleshooting
- Reference
- Infrastructure monitoring
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Dashboards
- Alerting
- SLOs
- Cases
- AIOps
- Data set quality monitoring
- AI Assistant
- Elastic Entity Model
- Limitations
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoint response actions
- Secure cloud native resources
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Dev tools
- Project and management settings
API keys
editAPI keys
editAPI keys are security mechanisms used to authenticate and authorize access to Elastic Stack resources, and ensure that only authorized users or applications are able to interact with the Elastic Stack.
For example, if you extract data from an Elasticsearch cluster on a daily basis, you might create an API key tied to your credentials, configure it with minimum access, and then put the API credentials into a cron job. Or, you might create API keys to automate ingestion of new data from remote sources, without a live user interaction.
You can manage your keys in Project settings → Management → API keys:
A personal API key allows external services to access the Elastic Stack on behalf of a user.
A managed API key is created and managed by Kibana to correctly run background tasks.
Create an API key
editIn API keys, click Create API key:
Once created, you can copy the encoded API key and use it to send requests to the Elasticsearch HTTP API. For example:
curl "${ES_URL}" \ -H "Authorization: ApiKey ${API_KEY}"
API keys are intended for programmatic access. Don’t use API keys to authenticate access using a web browser.
Restrict privileges
editWhen you create or update an API key, use Restrict privileges to limit the permissions. Define the permissions using a JSON role_descriptors
object, where you specify one or more roles and the associated privileges.
For example, the following role_descriptors
object defines a books-read-only
role that limits the API key to read
privileges on the books
index.
{ "books-read-only": { "cluster": [], "indices": [ { "names": ["books"], "privileges": ["read"] } ], "applications": [], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } }
For the role_descriptors
object schema, check out the /_security/api_key
endpoint docs. For supported privileges, check Security privileges.
Update an API key
editIn API keys, click on the name of the key. You can update only Restrict privileges and Include metadata.
View and delete API keys
editThe API keys app lists your API keys, including the name, date created, and status.
When API keys expire, the status changes from Active
to Expired
.
You can delete API keys individually or in bulk.