User with manage_own_api_key - Best Practices (Security)


I have been using the default elastic user to create API keys.

However, I do not think that this is a good security practice (please correct me if I'm wrong).

Hence, I'm not sure how do others normally create API keys - do you guys have a dedicated user with just the manage_own_api_key cluster privilege (where it is used for creating API keys)? Or do you guys have a separate user from elastic which has this privilege, but with other privileges too for administration? (If it's the latter, which other privileges are advised to be grouped together?)

Thank you!

(P.S. The documentation for Create API key API is here, for reference.)

The answer will depend on what you're trying to use API Keys for.

What is the problem that you're trying to solve with API Keys?

What I have in mind:

Use a set of unique API keys to setup various Beats on different machines respectively (1 API key per beat, per machine), then using another set of unique API keys (with less permissions) for these Beats to send documents to my Elasticsearch cluster on a long-term basis.

In which case I would recommend creating a new user specifically for ingestion - e.g. beats_ingest - and then use that user to create API keys.

The main reason for recommending this is that Elasticsearch considers an API key to be "owned" by the user that created it, and to be their responsibility. That means things like audit logs will say that the data was ingested by the owner of the API Key. It also means many of the management interfaces for API Keys (e.g. the Get/Query API Key endpoints, and the API Keys UI in Kibana) have capabilities to show API Keys specifically for a single user.

Having a separate API key per machine is helpful because it allows you to separate credentials per machine and track which credential is ingesting which data, but it is better if you also group those API keys under a common user so that you can track what they're doing and manage them as a group.

1 Like

Thanks! Greatly appreciate your reply.

Just a quick one: Do you think it is a good idea to have a separate API key for different Beats within a machine itself? I understand that having a separate API key per machine is helpful.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.