GET /_security/api_key does not show "role_descriptors"

I am using ES cloud and create api_key through "API Console" UI on ES cloud. The following is an example of the payload to create an api_key

POST /_security/api_key
{
  "name": "midtier-2025",
  "role_descriptors": {
    "midtier": {
      "index": [
        {
          "names": [
            "index1",
            "index2"
          ],
          "privileges": [
            "read",
            "write",
            "maintenance"
          ]
        }
      ]
    }
  }
}

I am trying to get the role_descriptors I supplied for the api_key. According to the doc, a simple GET call should return this but the response does not include it at all. The following is an example

GET /_security/api_key?name=midtier-2024

{
  "api_keys": [
    {
      "id": "fakeid2432",
      "name": "midtier-2024",
      "creation": 1707506042878,
      "invalidated": false,
      "username": "elastic-userconsole-proxy",
      "realm": "found",
      "metadata": {}
    }
  ]
}

What am I missing? Is this a permission issue or something? I would appreciate for any help.

Byungsoo Kim

Hi @Byungsoo_Kim Welcome to the community

Welll assuming you are logged in as the elastic user this should work...

I did notice your POST is malformed and does not work so perhaps you somehow submitted it with no roles once or something

Worked for me

POST /_security/api_key
{
  "name": "midtier-2025",
  "role_descriptors": {
    "midtier": {
      "index": [
        {
          "names": [
            "index1",
            "index2"
          ],
          "privileges": [
            "read",
            "write",
            "maintenance"
          ]
        }
      ]
    }
  }
}

GET /_security/api_key?name=discuss-2025

# Results
# POST /_security/api_key 200 OK
{
  "id": "9b2oTJQBmcDx6OSl_IVj",
  "name": "midtier-2025",
  "api_key": "Fd8J9DeySjiHpXwi7UvDYQ",
  "encoded": "OWIyb1RKUUJtY0R4Nk9TbF9JVmo6RmQ4SjlEZXlTamlIcFh3aTdVdkRZUQ=="
}
# GET /_security/api_key?name=discuss-2025 200 OK
{
  "api_keys": [
    {
      "id": "VbykTJQBS9VyZaU1NbtQ",
      "name": "discuss-2025",
      "type": "rest",
      "creation": 1736452617570,
      "invalidated": true,
      "invalidation": 1736452908001,
      "username": "elastic",
      "realm": "found",
      "realm_type": "file",
      "metadata": {},
      "role_descriptors": {
        "midtier": {
          "cluster": [],
          "indices": [
            {
              "names": [
                "index1",
                "index2"
              ],
              "privileges": [
                "read",
                "write",
                "maintenance"
              ],
              "allow_restricted_indices": false
            }
          ],
          "applications": [],
          "run_as": [],
          "metadata": {},
          "transient_metadata": {
            "enabled": true
          }
        }
      }
    }
  ]
}

Stephen,

Thanks for correcting the JSON; I manually modified the production payload and I am 100% sure I submitted the right payload when I generated the api key. Otherwise, we would have an outage in the prod. I updated it in the original post.

Welll assuming you are logged in as the elastic user this should work...

I am not an admin and UI is the only way I can make API calls; I login to Elastic Cloud, "Manage" next to the cloud deployment, and select "API Console". From there, I run the API calls. Maybe this is a permission issue for my user?

Byungsoo

Well as Elastic Cloud Admin I see the complete response so I suspect your privileges are limited...

Stephen,

Thanks for trying it from UI. I agree that it has something to do with privileges.

I have little knowledge in user security model in Elasticsearch and I don't know which permission is missing. Could you direct me to a doc or something? (Admin will ask which permission I need. One thing he will NOT give away is a general read permission since we limit the access to the customer data)

I am not sure there is enough granular access ...

Docs

Go to Elastic Cloud Console and go to your profile and check your role.

I suspect you are a viewer

  • Viewer - Can view deployments, and can sign on to the deployment with the viewer Stack role. This role can be scoped to one or more deployments.

So you should be able to click on the Kibana link and then Go To Dev Tools and run the command.

I am not sure... you can also open a support ticket

This is almost certainly due to looking at the docs for a different version than you are actually running.

The role descriptors were not shown before Elasticsearch version 8.5, and I suspect you are running an older version

1 Like

Tim,

Thanks for checking. That may be the case; we are using Elastic Stack version 7.13. I did check some old doc (7.17) and the example in it did not have the content for role_descriptor so I was not sure if it was supposed to return or not.

I will ask my admin if we have any plan to upgrade the version. If not, I guess I am stuck on this issue.

Thanks for your help

Byungsoo

7.13 is three and half years old, has a number of published vulnerabilities, and is no longer supported or maintained. You should definitely encourage your admin to upgrade.

All of 7.x will cease to be maintained once 9.0 is released so you should be planning to move to 8.x soon.