Hi team
I have used the elasticsearch superuser (elastic) credentials to automatically set up a bunch of elasticsearch indexes by sending the index-file.json contents to the Elastic API endpoint.
My struggle is that I would very much like to do the same with the Kibana settings because there are a lot more of them but I am having some challenges understanding whether this is even possible from the ECE documentation...
If I use the Kibana Endpoint and the elastic (superuser) username and password as credentials I only ever receive a 401 (unauthorized) response. If I use the Elastic endpoint base url this doesn't appear to work with any of the Kibana API endpoints... which is not entirely a suprise...
Is this process documented anywhere with some good examples? Do I need to create a new user in Kibana with some sort of other permissions? I really want to avoid having to upload all the kibana saved objects manually every time we make a change or acquire a new customer.
Really appreciate any help with this
Can you give an example of a (sanitized) API endpoint call that is returning 401?
Using elastic should allow you to do anything (on a recent cluster - older - 12+ months - ones had some additional restrictions)
Also 401 is normally "wrong password", 403 is what you get when you're not allowed to do something
Ah I just re-read .. I suspect the problem is that your Kibana isn't configured to support basic auth?
Do you have a config for xpack.security.authc.providers in your Kibana YAML? (It defaults to allowing basic)
https://www.elastic.co/guide/en/kibana/7.x/kibana-authentication.html
EDIT: see below
Oh in fact, some more digging ... looks like Kibana API only allows token based auth: https://www.elastic.co/guide/en/kibana/7.6/using-api.html
Thanks @Alex_Piggott
Actually it get's a bit more interesting than that 
I'm using PowerShell with the ElasticAPI endpoints and if I create a PSCredential object for Invoke-RestMethod that works fine...
$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force
$ElasticCreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
This approach doesn't work with the Kibana endpoints
HOWEVER if I go back to something like this which is (possibly) more like curl...
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))
$Headers = @{Authorization=("Basic {0}" -f $base64AuthInfo)}
Then this works with https://KibanaAPIendpoint/api/status
I have set xpack.security.authc.providers: [basic] in the Kibana.yml backend via the user setting over-rides.
Any ideas why one approach would work with Elasticsearch but doesn't with Kibana?
This maybe explains it: PowerShell's Invoke-RestMethod equivalent of curl -u (Basic Authentication) - Stack Overflow
As noted in the comments, this method will not send the Authorization header on the initial request. It waits for a challenge response then re-sends the request with the Authorization header. This will not work for services that require credentials on the initial request.
I guessing the Kibana API falls into that category and ES API doesn't? Probably worth posting over in the Kibana forum to discuss the gory details 
Aha! That's super useful to know Alex - thanks
Yes, I will put this in the Kibana forum tomorrow