Problems getting filebeats to work with API keys

I have just got filebeats (7.17.1) working on a bunch of ubuntu systems. I initially tried to use API keys for authentication but got errors from filebeat "API key: invalid ApiKey value" when it connects to the ES server. I swapped to using username and password and that worked fine.

The API keys were setup :

{
  "superuser": {
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "*"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": true
      }
    ],
    "run_as": [
      "beat_ingest"
    ]
  }
}

where beat_ingest is the user that works when not using API key.

I am trying using the run as because I was hoping to be able to change privs without generating and distributing a new key.

Have I misunderstood how this is supposed to work?