Hello,
I'm trying to limit default privileges of the API key when it's being created. By default it's created by terraform with superuser account which I feel has too much access.
We want to use the API_Key to connect to Elasticsearch from the .NET application. Application will run querying, indexing operations, it will create, delete indexes, should also be able to monitor cluster health connectivity.
Now by default if I just create the API key with permissions of the super user this is what we get.
With these permissions the applications works just fine
{
"api_keys": [
{
"id": "",
"name": "",
"creation": ,
"invalidated": ,
"username": "",
"realm": "found",
"metadata": {},
"role_descriptors": {},
"limited_by": [
{
"superuser": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
},
{
"names": [
"*"
],
"privileges": [
"monitor",
"read",
"view_index_metadata",
"read_cross_cluster"
],
"allow_restricted_indices": true
}
],
"applications": [
{
"application": "*",
"privileges": [
"*"
],
"resources": [
"*"
]
}
],
"run_as": [
"*"
],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
}
}
]
}
]
}
Now when I changed the role_descriptors to limit access of the key it looks like this
{
"api_keys": [
{
"id": "",
"name": "",
"creation": ,
"invalidated": ,
"username": "",
"realm": "found",
"metadata": {},
"role_descriptors": {
"role-a": {
"cluster": [
"monitor"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
}
],
"applications": [],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}
}
]
}
But now we get 401 error
System.InvalidOperationException : Could not authenticate with the specified node. Try verifying your credentials or check your Shield configuration. Call: Status code 401
Now since I left all of the indices permissions with all privileges I'm not sure which part if the one that is causing the issues. I feel like the key doesn't need most of the Cluster privileges since it causes security vulnerability.