Role settings for logging user (Beats)

I'm trying to configure our new cloud cluster (1e7502) and I would like to create a user that only has access to create indices and log data to them. Basically, for my FileBeat/MetricBeat/anyBeat agents.

I created a new role "DataLoggers", with no cluster privileges, no "run as" privileges, and one index privilege of "*" -> "all".

That user gets "403 Forbidden" errors when trying to log data.

What are the required privs for this?

Hi @Cylindric,

first off, allowing index privilege of "*" -> "all" does not sound secure. This user will have all index privileges on all your indices.
Assuming that you did this for testing only but still.
If this user is only used for indexing, you should be fine with write,create and delete (not sure if delete is required in your use case), then assign this only to index patterns the beats are using.

The 403 comes from the missing Cluster privileges, I tested with a simple filebeat config and you need at least monitor and manage_index_templates.

I think the monitor is needed to gets stats about the cluster itself (e.g. if it's healthy) and manage_index_templates is needed to check if there is an template or to put the template if not.

Hope that helps.

Note: I moved this to the Beats section as it seems more related to Beats than Elastic Cloud.

It's not a Beats problem, it's any app I use to try and create records in ES. It's entirely an ES/Shield question.

I'll try with those cluster privileges, that makes sense.


Yep, adding the "monitor" cluster privilege fixed it - thank you!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.