API Key for Kibana Reporting

DougR · November 3, 2023, 2:27pm

Thanks for explaining the documentation to me, it definitely pointed me in the right direction.

However, in my case, I had some additional requirements that weren't met by the documentation:

Use an API key for authentication.
Restrict the report to only the data for a specific application (datastream). E.g., logs-myapp.log-*.

The role in the documentation appears to be intended to grant additional permissions to a user with the standard user role. As a result, when only those permissions are used, the following error is generated, when retrieved through the API:

{
    "statusCode": 500,
    "error": "Internal Server Error",
    "message": "Reporting generation failed: ReportingError(code: unknown_error) \"Max attempts (3) reached for job <job_id>. Failed with: Unable to bulk_get index-pattern\""
}

In order to generate reports with an API key against logs-myapp.log-*, additional permissions were needed (see below). After experimentation, it appears that these are the minimum necessary permissions for an API key to work for this purpose:

POST /_security/api_key
{
  "name": "myapp_log_reporting",
  "expiration": "365d",
  "role_descriptors": {
    "myapp_log_reporting": {
      "cluster": [],
      "indices": [
        {
          "names": [
            "/logs-myapp[.]log-.*/"
          ],
          "privileges": [
            "view_index_metadata",
            "read"
          ],
          "allow_restricted_indices": false
        }
      ],
      "applications": [
        {
          "application": "kibana-.kibana",
          "privileges": [
            "feature_visualize.minimal_all",
            "feature_visualize.generate_report",
            "feature_canvas.minimal_all",
            "feature_canvas.generate_report",
            "feature_discover.minimal_all",
            "feature_discover.store_search_session",
            "feature_discover.generate_report",
            "feature_dashboard.minimal_all",
            "feature_dashboard.store_search_session",
            "feature_dashboard.generate_report",
            "feature_dashboard.download_csv_report"
          ],
          "resources": [
            "*"
          ]
        }
      ],
      "run_as": [],
      "metadata": {},
      "transient_metadata": {
        "enabled": true
      }
    }
  }
}

I haven't tested it, but I assume that if you wanted the key to be able to generate reports against any data stream with the same key, you would need to include index permissions for logs-*.

Topic		Replies	Views
Migration to V8: kibana reporting-user depreciated Elasticsearch	0	91	May 13, 2025
Unable to download kibana csv report using access token Kibana elastic-stack-reporting	6	132	April 30, 2025
Can't generate reports - Error: Unable to grant an API Key, request does not contain an authorization header Kibana	1	23	November 12, 2025
Unable to create CSV report in kibana despite having superuser-like privileges Kibana elastic-stack-security	2	48	November 18, 2025
Export kibana viisualization using api Kibana	6	360	October 29, 2020

API Key for Kibana Reporting

Related topics