API key definition

I was hoping to start this discussion with somebody from Elastic. Currently, the team I work with have been actively using the REST API's from Kibana and Elasticsearch allot, but have come across the difficulty of setting up the correct API key rights.

As I understand the current situation, for example, an API key to create alerts requires much more rights than just access to the alert create endpoint. It requires index rights, action rights and more depending on what the alert needs to process an event.

From a security standpoint, we now have to set up an API key which should have as sole purpose creating an alert, but requires so much more rights that the name API key doesn't seem fitting anymore. It is not a key to access the API, it becomes a user or action key that requires a ton more of rights.

Preferably, I would like to give an API key access to an endpoint and the rights needed to perform the actions(event processing) come from the user that created the API key. But I was curious what the Elastic team has to say about this. Because creating an API key currently is overcomplicated for somebody who doesn't completely know the source code.