API Key Minimum Permissions for Querying Kibana Fleet Agents

I'm on Elastic Cloud 8.9.1 using the Kibana Fleet APIs to pull agent information. In trying to figure out the minimum permissions needed for /api/fleet/agents, I have created a user account with a custom role with permissions:

  • Elasticsearch - none
  • Kibana - All Spaces: Fleet - All, Integrations - Read

Submitting requests to [my_kibana_endpoint]/api/fleet/agents using that account is returning correct results. I am wondering if it is possible to create an API key with those same minimum permissions rather than user:password authentication for scripting.

Examples at Kibana Fleet APIs | Fleet and Elastic Agent Guide [8.10] | Elastic show using an API Key in the sample requests. However, with role descriptors for API keys I'm unsure how to specify Kibana only permissions but maybe that's not possible? Can someone point me in the right direction?

Hi Gary!

You can use the created user:password as API key by using the base64 encoded version of username:password string:

--header 'Authorization: ApiKey yourbase64encodedkey' \

Using the base64 version of my specific username:password as the API Key produced the error:

{"statusCode":401,"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate with provided credentials and anonymous access is not allowed for this request]: unable to authenticate with provided credentials and anonymous access is not allowed for this request"}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.