Granting Privileges on Datastream Alias not the same in Backing Indices

I'm using filebeat and i have created 3 datastreams .

PUT _data_stream/data_s1-2022.06.08
PUT _data_stream/data_s2-2022.06.08
PUT _data_stream/data_s3-2022.06.08

And created 3 alias for that datastreams:

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "data_s1-2022.06.08",
        "alias": "data_s1",
        "is_write_index": true
      }
    }
  ]
}

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "data_s2-2022.06.08",
        "alias": "data_s2",
        "is_write_index": true
      }
    }
  ]
}

POST _aliases
{
  "actions": [
    {
      "add": {
        "index": "data_s3-2022.06.08",
        "alias": "data_s3",
        "is_write_index": true
      }
    }
  ]
}

Then an API Key for give permissions:

POST /_security/api_key
{
  "name": "filebeat_datastreams", 
  "role_descriptors": {
    "filebeat_writer": { 
      "cluster": ["monitor", "manage_ingest_pipelines"],
      "index": [
        {
          "names": ["data_s1", "data_s2", "data_s3"],
          "privileges": ["create_doc", "auto_configure"]
        }
      ]
    }
  }
}

After give the API Key to filebeat all works well for data_s1, and data_s3 but data_s2 complains.

action [indices:admin/mapping/auto_put]  is unauthorized for API key id [ID] of user [elastic] on indices [.ds-data_s2-2022.06.08-2022.06.08-000001], this action is granted by the index privileges [auto_configure,manage,write,all]\"}

I can say that data_s2 is generated by the netflow filebeat module for version 8.1.0, the other datastreams works well.

  • My use case requires the minimun privilege for the API key.
  • I can't understand why the privilege is requested by the backing indice if the other datastreams works well.
  • I need to resolve the indirection level using the alias on Elasticsearch for management reasons.