Is it possible to retrieve the api_key value after initial creation?

I'm relatively new to Elastic and can't seem to find information about this with a search...

I understand that anyone creating an API key should secure the api_key value returned at creation. Is there any way for a superuser to retrieve that afterwards (i.e. like you can retrieve primary/secondary keys of an Azure Log Analytics workspace)?

I'm approaching this from the perspective of an API key created to use for Beats agent authentication, or perhaps automation using REST API's. The person that created it leaves the company. It's easy to return every property of the API key via query--except the actual key value.

This appears to be by design, but gotta ask. The documentation for using GET /_security/api_key does not say you can or can't retrieve the actual key value.

Thanks in advance!

Hi,

No, you cannot get an API key after creation.

And if the person leaves the company you should most definitely change the API key(invalidate the old and create a new one)!

What you can do depends on the user type the API key was created for(of course I expect that the user is a functional account):
If the user was a native user you can simply change the password as administrator and login with the new credentials to create an API key.
If the user is managed from active directory you can ask your IT to transfer the ownership to a new colleague so he can change the password and create API keys.

Depending on your usecase you might also want to check this documentation: Grant API key API | Elasticsearch Reference [7.11] | Elastic

It describes how to create an API key for other users.

Best regards
Wolfram

Thank you for confirming this so quickly. Greatly appreciated!