Elasticsearch: Create API Key based on role?

In the Create API key API documentation, it shows the complete role definition for the API key being included in the /_security/api_key request.

However, in the example shown, supposed I already have role-a and role-b defined as user roles. Is there a way to create the API key based on those previously-defined roles, without having to completely recreate them in the key?

No that is not possible.

Although API Keys use the same JSON format as roles, they operate quite differently.

Although it would sometime be convenient to use an existing role to describe a new API Key, it would be misleading - the API Key would not be tied to the role in any way, it would simply be a convenience to copy the current permissions from that role into the new API Key.

We have discussed whether we should offer that sort of convenience feature, but we feel that it would create too much confusion - most people would be surprised to find that changes to the roles would not be reflected in permissions of the API key.

1 Like

Thanks. That's not what I hoped to hear, but it is what I expected to hear. It's not a major issue, since I can always retrieve a role and include it as a role_descriptor when generating an API key, and since I generate my API keys as an admin user, they should always have the exact permissions I anticpate. Or at least they always have so far.

The request body portion of the Create API key API documentation is fairly clear regarding pinning permissions to a snapshot of the current user permissions:

(Optional, array-of-role-descriptor) An array of role descriptors for this API key. This parameter is optional. When it is not specified or is an empty array, then the API key will have a point in time snapshot of permissions of the authenticated user . If you supply role descriptors then the resultant permissions would be an intersection of API keys permissions and authenticated user’s permissions thereby limiting the access scope for API keys. The structure of role descriptor is the same as the request for create role API. For more details, see create or update roles API.

If you were to allow an API key to be mapped to a point-in-time snapshot of role permissions and were to use similar wording, it should be clear enough, IMO.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.