Curator delete indices shield permissions

I have a working curator delete script that works when I run it from my very privileged admin account. I am trying to get it to work with a curator role and I want to limit the actions to exactly what is required.

this is how the role is defined
curator:
cluster: montior
indices:
'.-shield_audit_log-*':
-indices:admin/delete, indices:admin/exists, indices:admin/get

When I run the curator script as the curator account I get a message saying no indices found. I am looking to remove indices that are more than 7 days old. Again when I run the curator account in my full admin role, it does find and remove the indices.

Hi Doug,

If this role is for the Shield Index Audit output, I believe that you have an extra - in the index name:

'.-shield_audit_log-*' should be '.shield_audit_log-*'

Jay

Sorry, that was a typo when I was entering the post. I do not have the
.-shield but rather .shield. Like I said, when I use my credentials it
works, but not with the credentials I have set up for the curator roles.

Can you try updating the role to:

curator:
  cluster: monitor
  indices:
    '.shield_audit_log-*':
      - indices:monitor/settings/get
      - indices:admin/delete
      - indices:admin/exists
      - indices:admin/get 

I believe curator gets the list of indices through the get settings API.

A side note, one way to determine the necessary privileges would be to look at the access_granted entries in the audit log from your administrative user when curator is interacting with Shield.

Figured out the issue. I needed to put the indices on the single line with log name

'.shield_audit_log-*' : indices:admin/get, indices:admin/delete

These are the methods that are called. I don't really understand why the list option did not work. Also, when using the list format,. I did not get entries in the security log, once I switched to the single line option as shown above I could see the entries in the log.

Thanks for the help, really appresciated