Minimum Privilege Required for Logstash Account

Hi,

Given than I need to set the API key or username/password pair in Logstash config (and they might get exposed). I need to set the privilege to the absolute minimum for the relevant account

I've went over the roles here https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html but I'm still not clear on the required roles (it obviously needs to add events to the DB, create an index...etc.)

The configuration we have is pretty standard and we are running version 7.9

So what are the minimum roles required for Logstash to work

Thanks

Hosam.