Authentication working with username/password but not with API key


I have set up a self-managed 3-node Elasticsearch cluster on Kubernetes using instructions here. I haven't yet added any extra bells and whistles, but pretty much used the YAML in the link.

I am able to cURL for various endpoints such as /_cluster/health using username and password, but now with an API key I generated.

I generated the API key as follows:

POST /_security/api_key
  "name": "my-api-key",
  "expiration": "365d", 
  "role_descriptors": { 
    "role-b": {
      "cluster": ["all"],
      "index": [
          "names": ["*"],
          "privileges": ["all"]

I then generated the credentials using

CREDENTIALS=$(echo "${API_ID}:${API_KEY}" | base64)

I then used the credentials to query for cluster health as follows (please note I'm using -k flag):

curl -H "Authorization: ApiKey $CREDENTIALS" -k https://${CLUSTER_IP}:${CLUSTER_PORT}/_cluster/health

I get the following error:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/_cluster/health]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/_cluster/health]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}

Please note that if I use -u $USERNAME:$PASSWORD option for authorization, it does work.

I think this has to do with xpack security and certificates, etc.

Can somebody please opine?


Well one thing I see from the example.

echo -n "VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw" | base64

Use -n so that the echo command doesn’t print the trailing newline character

Also have you tried it without a without the environment variables substitution just putting it all in the curl command.

I don't think the -k it's treated any difference and when using username and password vs API key.

Thanks, I missed the -n flag.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.