How to edit role descriptor for a service account

I would like to edit the default role descriptor for service account elastic/kibana, however, I do not find a way to achieve this.
Alternatively, I created a role with the privileges I want to have on service account elastic/kibana, but I do not find the way to assign this role to the existing elastic/kibana.
Any help will be appreciated.

No it's not possible and that's by design. I am not sure why you want to do that. Service accounts are designed to be used by specific services, e.g. Kibana and therefore their privileges are precisely scoped for the service. Adding or removing privileges from it can risk either breaking the services or security vulnerability. If you need to do something that is not allowed for the elastic/kibana service account, it is better off to create an entirely separate user.

Hi @Yang_Wang , thanks for checking this issue.
Ok, yes I was getting the following in the logs of an application:

ERROR security_exception: [security_exception] Reason: action [indices:admin/settings/update] is unauthorized for user [elastic/kibana] on indices [index-name-here], this action is granted by the index privileges [manage,all]

I thought that I could add the privileges to these indices to the elastic/kibana service account

In what context did you get the error? Is this for something configured out of the box by some Elastic product? In that case, I'd consider this a bug and appreciate if you could provide reproduction steps. Or did you configure something on your own? Thanks!

Hi @Yang_Wang ,

In what context did you get the error?

This is an application I installed and configured on top of Elastic Stack, so I do not think it is a bug, it is not an Elastic product.
As there is no workaround (or shouldn't be) to provide service account elastic/kibana with permissions over other indices I will do some more testing.
Thanks a lot!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.