User with manage_own_api_key - Best Practices (Security)

inf · November 7, 2021, 8:14am

Hi,

I have been using the default elastic user to create API keys.

However, I do not think that this is a good security practice (please correct me if I'm wrong).

Hence, I'm not sure how do others normally create API keys - do you guys have a dedicated user with just the manage_own_api_key cluster privilege (where it is used for creating API keys)? Or do you guys have a separate user from elastic which has this privilege, but with other privileges too for administration? (If it's the latter, which other privileges are advised to be grouped together?)

Thank you!

(P.S. The documentation for Create API key API is here, for reference.)

TimV · November 8, 2021, 3:09am

The answer will depend on what you're trying to use API Keys for.

What is the problem that you're trying to solve with API Keys?

inf · November 8, 2021, 3:59am

What I have in mind:

Use a set of unique API keys to setup various Beats on different machines respectively (1 API key per beat, per machine), then using another set of unique API keys (with less permissions) for these Beats to send documents to my Elasticsearch cluster on a long-term basis.

TimV · November 8, 2021, 5:36am

In which case I would recommend creating a new user specifically for ingestion - e.g. beats_ingest - and then use that user to create API keys.

The main reason for recommending this is that Elasticsearch considers an API key to be "owned" by the user that created it, and to be their responsibility. That means things like audit logs will say that the data was ingested by the owner of the API Key. It also means many of the management interfaces for API Keys (e.g. the Get/Query API Key endpoints, and the API Keys UI in Kibana) have capabilities to show API Keys specifically for a single user.

Having a separate API key per machine is helpful because it allows you to separate credentials per machine and track which credential is ingesting which data, but it is better if you also group those API keys under a common user so that you can track what they're doing and manage them as a group.

inf · November 8, 2021, 9:05am

Thanks! Greatly appreciate your reply.

Just a quick one: Do you think it is a good idea to have a separate API key for different Beats within a machine itself? I understand that having a separate API key per machine is helpful.

system · December 6, 2021, 9:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
API key owner Elasticsearch	9	514	December 31, 2023
How to use manage_own_api_key privilege in elk Elasticsearch elastic-stack-security	1	806	October 12, 2020
How to secure the Elasticsearch API? Elasticsearch elastic-stack-security	2	340	August 21, 2023
How to create API Key for user with `viewer` role? Kibana elastic-stack-security	8	2398	December 6, 2022
Apikeys and elastic cloud Beats elastic-stack-security , filebeat , metricbeat	7	585	May 12, 2021

User with manage_own_api_key - Best Practices (Security)

Related Topics