Elastic Fleet API Permissions

We have an elastic stack setup, along with fleet to manage our elastic agents. However, due to a number of technical reasons:

  1. We have to manually deploy updates to certain agents.
  2. We are limited to accessing Kibana only via url and we do not have access directly to our Elasticsearch instance.

Our goal is to be able to pull agent policies and secrets via using an API KEY to directly query Kibana, for example the /_fleet api route. Unfortunately we are having issues with permissions, especially accessing fleet secrets. I know there are two ways of getting fleet secrets. The first is by directly querying the secret ID via:

https://our-kibana/api/console/proxy?path=_fleet/secret/{secret_id}&method=GET

The second way is to pull the entire .fleet-secrets index.

  curl -X POST "https://our-kibana/api/console/proxy?path=%2Efleet-secrets-7/_search&method=POST" \   
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey $API_KEY" \
  -d '{
    "query": {
      "match_all": {}
    }
  }'

We are able to do both methods this if we generate a superuser API key. However, we aren't able to get the data ("Forbidden") if we create a restricted permission key. Here is our restricted API Key config:

{
  "read_fleet_secrets": {
    "cluster": [
      "monitor",
      "read_ilm"
    ],
    "indices": [
      {
        "names": [
          ".fleet-secrets",
          ".fleet-*"
        ],
        "privileges": [
          "read",
          "view_index_metadata",
          "read_cross_cluster",
          "all"
        ],
        "allow_restricted_indices": true
      }
    ],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_fleet.read",
          "feature_security.read",
          "feature_management.read",
          "feature_discover.read",
          "manage_internal_index_patterns"
        ],
        "resources": [
          "*"
        ]
      },
      {
        "application": "fleet",
        "privileges": [
          "all"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

We checked through elastic's documentation, however it's currently very limited on anything related to fleet api related calls.

We've seen that it might be necessary to be a superuser to use anything related to fleet (e.g. this older post: What permissions are needed to manage Fleet/Agent Policies/Integrations). However, we were ideally hoping for a restricted set of permissions for our use case.

Thank you for your help.

Have you checked this documentation?

Fleet permissions are managed on Kibana, not on a elasticsearch role.

Thanks for your reply. Indeed I tried creating a fleet role, but I still get forbidden.