Elastic Fleet API Permissions

elasticfantastik · October 8, 2024, 5:54pm

We have an elastic stack setup, along with fleet to manage our elastic agents. However, due to a number of technical reasons:

We have to manually deploy updates to certain agents.
We are limited to accessing Kibana only via url and we do not have access directly to our Elasticsearch instance.

Our goal is to be able to pull agent policies and secrets via using an API KEY to directly query Kibana, for example the /_fleet api route. Unfortunately we are having issues with permissions, especially accessing fleet secrets. I know there are two ways of getting fleet secrets. The first is by directly querying the secret ID via:

https://our-kibana/api/console/proxy?path=_fleet/secret/{secret_id}&method=GET

The second way is to pull the entire .fleet-secrets index.

  curl -X POST "https://our-kibana/api/console/proxy?path=%2Efleet-secrets-7/_search&method=POST" \   
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey $API_KEY" \
  -d '{
    "query": {
      "match_all": {}
    }
  }'

We are able to do both methods this if we generate a superuser API key. However, we aren't able to get the data ("Forbidden") if we create a restricted permission key. Here is our restricted API Key config:

{
  "read_fleet_secrets": {
    "cluster": [
      "monitor",
      "read_ilm"
    ],
    "indices": [
      {
        "names": [
          ".fleet-secrets",
          ".fleet-*"
        ],
        "privileges": [
          "read",
          "view_index_metadata",
          "read_cross_cluster",
          "all"
        ],
        "allow_restricted_indices": true
      }
    ],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_fleet.read",
          "feature_security.read",
          "feature_management.read",
          "feature_discover.read",
          "manage_internal_index_patterns"
        ],
        "resources": [
          "*"
        ]
      },
      {
        "application": "fleet",
        "privileges": [
          "all"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

We checked through elastic's documentation, however it's currently very limited on anything related to fleet api related calls.

We've seen that it might be necessary to be a superuser to use anything related to fleet (e.g. this older post: What permissions are needed to manage Fleet/Agent Policies/Integrations). However, we were ideally hoping for a restricted set of permissions for our use case.

Thank you for your help.

leandrojmp · October 8, 2024, 7:20pm

Have you checked this documentation?

Fleet permissions are managed on Kibana, not on a elasticsearch role.

elasticfantastik · October 8, 2024, 8:16pm

Thanks for your reply. Indeed I tried creating a fleet role, but I still get forbidden.

Topic		Replies	Views
API Key Minimum Permissions for Querying Kibana Fleet Agents Kibana fleet	3	328	November 6, 2023
How to query list of offline agents using the Fleet API? Kibana fleet	12	1518	September 18, 2023
Permissions to view and manage agents in fleet Elastic Agent fleet	3	216	February 21, 2024
Fleet permissons Kibana	2	1190	April 9, 2024
How to get details of fleet server Kibana	4	406	August 22, 2023

Elastic Fleet API Permissions

Related topics