Super user that creates api keys on behalf of other user

I got a super user, I need this super user can grant api keys on behalf other user (these users are not native, they sign in via SSO with Open Id)
I saw that Grant API key API | Elasticsearch Guide [7.15] | Elastic needs user and password, but we do not have that, since user is using SSO, access_token it is not an option since we need human intervention

Our ultimate goal is that the super user can provide those api keys without human intervention.

Is there some way I can do this?

Our ultimate goal is that the super user can provide those api keys without human intervention.

Authenticating to Elasticsearch with either SAML or OIDC requires a web-browser, which generally implies human users. So it is unlikely achievable.

That said, superuser can create API keys with any permission. What prevent you from creating (instead of granting) API keys directly using the superuser if (1) you will be using superuser anyway and (2) human intervention is not wanted? One major benefit of "grant API Keys" is that the granter does not have to have all privileges of the grantee. But since the granter is superuser, the benefit no longer applies.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.