Setup vs writer role for Filebeat

Hi,

from the documentation I see a sort of role seperation between setting up filebeat and shipping data using filebeat: https://www.elastic.co/guide/en/beats/filebeat/master/feature-roles.html (setup role and writer role).

But in my filebeat.yml i can provide only one user, which is used to push the logs into elastic cluster, like so:

filebeat:
  # List of inputs.
  inputs:
    [{"paths": ["/path/logs/*.log"], "type": "log"}]

# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://elastic01.com:9200", "https://elastic02.com:9200", "https://elastic03.com:9200"]
  username: "filebeat_write_user"
  password: "${FILEBEAT_WRITE_USER}"
  ssl.certificate_authorities: ["/cert/path/ca.crt"]

The user I use there has the writer role
When I now start filebeat it leads to errors:

[indices:admin/template/put] is unauthorized for user [filebeat_write_user]"},"status":403}.

What is meant by "setup role" how I can "setup" all the templaes without starting filebeat and shipping logs?