Create an API key using a client authenticated by an existing API key

I am using an API key to create an elasticsearch client. I am using the client to create another API key but is getting an error. Any idea whether the existing key (or the derived key) needs to be created with certain privileges?

co.elastic.clients.elasticsearch._types.ElasticsearchException: [es/security.create_api_key] failed: [illegal_argument_exception] creating derived api keys requires an explicit role descriptor that is empty (has no privileges)
at co.elastic.clients.transport.ElasticsearchTransportBase.getApiResponse(
at co.elastic.clients.transport.ElasticsearchTransportBase.performRequest(

Hi @Jim_Song ! Thanks for reaching out, I hope I can be of some help here.

Looking at the error you're getting, it sounds like you are attempting to create a derived key based off of the initial API key you used for creating the ES client. Elasticsearch makes use of the currently authenticated user to define the permissions when creating a new API key, and these permission can be modified via the role_descriptors attribute. The situation you're running into is what happens when creating another API key from an existing API key (making it a derived API key). Because of how the privileges are determined based on the currently authenticated user, the newly derived key cannot be assigned privileges to contact ES. To still allow it to be usable for authentication, it must explicitly have a role_descriptor without any privileges. The documentation explains it here. Specifically this note:

Due to the way in which this permission intersection is calculated, it is not possible to create an API key that is a child of another API key, unless the derived key is created without any privileges. In this case, you must explicitly specify a role descriptor with no privileges. The derived API key can be used for authentication; it will not have authority to call Elasticsearch APIs.

As stated, if you would like to use the derived API key solely for authentication, then you should be fine, but for anything beyond that, it would be best to create all your API keys via your initial authenticated user with manage_own_api_key cluster privileges and specify the privileges for each api key via the role_descriptors attribute. Apologies for any inconveniences this may have caused and I hope this helps!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.