I am trying to access kibana csv report using the reporting api /api/reporting/jobs/download/{jobId}. I am able to get the data using basic authentication in my api using username and password. However when i make request using oauth2 authentication using apikey in my request I am getting the following error{ "statusCode": 403, "error": "Forbidden", "message": "Ask your administrator for access to reporting features." }
can someone please help me with this? Is this some api key permission issue?
dadoonet
April 29, 2025, 11:54am
2
Welcome!
Is the user the same one? I mean with the exact same roles?
yes, I created the api key from the app/management/api_keys from the ui. still getting unauthenticated error
dadoonet
April 29, 2025, 1:42pm
6
Thanks.
I'm able to reproduce it.
opened 01:41PM - 14 Apr 25 UTC
Team:Security
Feature:Security/Authentication
Feature:Users/Roles/API Keys
NeededFor:ResponseOps
## Summary
Soon, we're going to allow the Reporting plugin to request an API ke… y from the Task Manager. It will later use this key to interact with Kibana to generate reports. This should allow us to overcome the limitations we have today regarding access tokens captured by Reporting, which might expire at any point during the token's lifetime, potentially leading to failed reports.
However, Reporting generates reports by accessing Kibana through an automation-controlled browser, imitating the interactive user. Currently, we don't officially support using API keys for interactive Kibana use. Within the scope of this issue, we should investigate how we can overcome some of these limitations, at least for the Reporting use case:
- [ ] We should suppress [any Kibana warnings](https://github.com/elastic/kibana/blob/5d96f36e548c213b57d10bade356c829eed72bde/x-pack/platform/plugins/shared/security/server/routes/analytics/authentication_type.ts#L105-L123) regarding using API keys "interactively" to not spam logs and confuse Kibana administrators.
- [ ] We should check if it's possible to [retrieve the user profile](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html#security-api-get-api-key-query-params) (via `with_profile_uid` parameter) associated with the owner of the API key created with the [Grant API key API](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-grant-api-key.html) used by the Task Manager, since certain Kibana functionality that is captured by the reports might depend on the presence of user profiles (e.g., user avatars or user-level preferences or settings).
- [ ] We should find a way for Reporting to tell the Security plugin to retrieve the user profile for the API key only if it's needed for Reporting purposes. The same applies to anything else we might need to do just to support Reporting and that would not be needed for anything else (e.g., suppressing the warning regarding interactive usage of the API keys)
/cc @mikecote @tsullivan
So I guess this will come in the future.
Note that if you are trying to export a CSV from discover, you might be able to do this using ES|QL with ?format=csv .
That's limited in the number of extracted rows but that might help you.
