Fleet API account missing security settings

Hi all,

I'm on v8.6 of the ELK stack and working on some new custom log parsing. It looks like the configuration is reading our initial test data properly, however it appears the built-in Fleet API account is missing some permissions and is unable to create the index:

{"type":"security_exception","reason":"action [indices:admin/auto_create] is unauthorized for API key id [KEYID] of user [elastic/fleet-server] on indices [logs-connectedclients-default], this action is granted by the index privileges [auto_configure,create_index,manage,all]"}, dropping event!

Since this was automatically setup when configuring Fleet, I don't have a way to adjust the permissions since the accounts / roles are all built-in.

Is there a way to adjust these some other way?

Hi, it might be due to the API keys are not regenerated with the new data stream permissions.
Have you installed a new version of the integration? It could help to upgrade or re-add the integration policy, that should trigger the API key regeneration.
Here is a related public issue: [Fleet] API Keys are not updated after adding data streams to package · Issue #148524 · elastic/kibana · GitHub

Thank you for the info, Julia!

As I was working through this a bit since I saw the data stream was deprecated I moved over to filestream and was able to get that working!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.