I've been able to successfully create api keys for super user accounts. But I don't seem to have the option to create api keys for users that only have the role viewer. So for example, I made this user:
I have a temporary solution, it goes as follows. I start with a user called elastic which is a super user.
Login as elastic
Create a user called apmuser and give the role superuser.
Login as the apmuser
Go to Stack Management>API Keys and create an API Key for yourself since you're currenlty the apmuser (because it seems you can only create api keys for the user you're logged in as, there's no option to create api keys for any other user). Save the API Key
Go to Users and click on your own account, then change your role to viewer instead of superuser.
Press Update User. This should cause a screen to appear to say you've lost access to the user management session. Which maeks sense because you're no longer a super user as soon as you've saved your profile.
And now the API Key for apmuser should work fine.
Is there a way to do the same thing without resorting to this round-a-bout way?
thanks for clarification. In my question, I meant to say "there's no option to create api keys for any other user FROM WITHIN KIBANA UI". Is that still true? I understand you can do it programmatically, but I didn't see an option to do it through Kibana's user interface.
Also, did you enable "Restrict privileges" when you creating the API key using the apmuser when it still has the superuser role? If not, the API key was created with more permission than you might expect, i.e. it has superuser privileges. I understand that you removed superuser role from apmuserafterwards. But that does not affect any API keys created before the change.
On separate note, thanks for mentioning the point about Restricted Privileges in my earlier workflow, that it will still use the privileges of the superuser even if i change the role afterwards. Actually, can you point in me in the right direction on understanding the use cases for Roles vs. Roles Descriptors for API Keys? Why are there two paradigms for managing a user's capabilities?
i actually i guess i understand the difference between Role vs. Role Descriptors for API Keys. It's concievable for two different entities to use the apmuser account. One entity is a real human being that actually logs into the kibana website. And the other entity could be programmatic software that needs to access the elastic api. These two entities can have different privileges by distinguishing Roles for human users and Role Descriptors for API keys.
When setting up api keys, if you don't explicitly specify role descriptions, then elastic will generate default role descriptors based on the user's role.