How to create API Key for user with `viewer` role?

I've been able to successfully create api keys for super user accounts. But I don't seem to have the option to create api keys for users that only have the role viewer. So for example, I made this user:

But when I go to the API Key section, I do not see the option to choose the user for which I wish to create an API key for...see this image:

The user is stuck as elastic as circled in the image.

Where do I go to set the api key for a user with viewer role only? As of right now, the apmuser@test.com makes curl requests like this

curl -X GET -u apmuser:mypassexample "https://localhost:9200/myindex/_search?pretty"

Would be great if I could change it to

curl -X GET -H 'Authorization: ApiKey ...thekey...' "https://localhost:9200/myindex/_search?pretty"

I have a temporary solution, it goes as follows. I start with a user called elastic which is a super user.

  1. Login as elastic
  2. Create a user called apmuser and give the role superuser.
  3. Login as the apmuser
  4. Go to Stack Management>API Keys and create an API Key for yourself since you're currenlty the apmuser (because it seems you can only create api keys for the user you're logged in as, there's no option to create api keys for any other user). Save the API Key
  5. Go to Users and click on your own account, then change your role to viewer instead of superuser.
  6. Press Update User. This should cause a screen to appear to say you've lost access to the user management session. Which maeks sense because you're no longer a super user as soon as you've saved your profile.

And now the API Key for apmuser should work fine.

Is there a way to do the same thing without resorting to this round-a-bout way?

Does Create API key API | Elasticsearch Guide [8.5] | Elastic provide any clarity there?

There are required permissions, but you should be able to create one yourself if you have those.

This is not true. You can "grant" an API key to another user. I think this might be what you were looking for. Please refer to this documentation page.

thanks for clarification. In my question, I meant to say "there's no option to create api keys for any other user FROM WITHIN KIBANA UI". Is that still true? I understand you can do it programmatically, but I didn't see an option to do it through Kibana's user interface.

That depends on whether you count Kibana Dev Tools as part of its UI.

Also, did you enable "Restrict privileges" when you creating the API key using the apmuser when it still has the superuser role? If not, the API key was created with more permission than you might expect, i.e. it has superuser privileges. I understand that you removed superuser role from apmuser afterwards. But that does not affect any API keys created before the change.

Thank you. THe grant api key rest api worked. So basically I did this:

  1. Login as elastic super user.
  2. Go to Stack Management>Users.
  3. Create the user apmuser with password mypassexample with role viewer.
  4. Go to Dev Tools.
  5. Paste this code to generate api key for the apmuser
POST /_security/api_key/grant
{
  "grant_type": "password",
  "username": "apmuser",
  "password": "mypassexample",
  "api_key" : {
    "name": "apmuser-key"
  }
}

On separate note, thanks for mentioning the point about Restricted Privileges in my earlier workflow, that it will still use the privileges of the superuser even if i change the role afterwards. Actually, can you point in me in the right direction on understanding the use cases for Roles vs. Roles Descriptors for API Keys? Why are there two paradigms for managing a user's capabilities?

i actually i guess i understand the difference between Role vs. Role Descriptors for API Keys. It's concievable for two different entities to use the apmuser account. One entity is a real human being that actually logs into the kibana website. And the other entity could be programmatic software that needs to access the elastic api. These two entities can have different privileges by distinguishing Roles for human users and Role Descriptors for API keys.

When setting up api keys, if you don't explicitly specify role descriptions, then elastic will generate default role descriptors based on the user's role.