What are the privileges needed to create APM API key?

ffknob · April 29, 2020, 1:09pm

Hi

I'm setting an APM server up. Need some help with the API keys configuration...

This is what I did so far:

Created a role with the privileges listed in the docs. (notice the last one, the apm_api_key)

POST /_security/role/apm_setup
{
  "cluster": [
    "monitor",
    "manage_ilm"
  ],
  "indices": [
    {
      "names": [
        "apm-*"
      ],
      "privileges": [
        "manage"
      ]
    }
  ]
}
 
POST /_security/role/apm_monitoring
{
  "cluster": [
    "monitor"
  ],
  "indices": [
    {
      "names": [
        ".monitoring-beats-*"
      ],
      "privileges": [
        "create_index",
        "create_doc"
      ]
    }
  ]
}
 
POST /_security/role/apm_writer
{
  "cluster": [
    "monitor",
    "manage_ilm"
  ],
  "indices": [
    {
      "names": [
        "apm-*"
      ],
      "privileges": [
        "create_index",
        "view_index_metadata",
        "create_doc"
      ]
    }
  ]
}
 
POST /_security/role/apm_reader
{
  "indices": [
    {
      "names": [
        "apm-*"
      ],
      "privileges": [
        "read"
      ]
    }
  ]
}
 
PUT _security/role/apm_api_key
{
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write",
        "event:write",
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

Assigned those roles to the monitor user.
...but when I try to create the key:

$ ./apm-server apikey create --name apm-demo --ingest --sourcemap
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/xpack/security/api_key/create] is unauthorized for user [monitor]"}],"type":"security_exception","reason":"action [cluster:admin/xpack/security/api_key/create] is unauthorized for user [monitor]"},"status":403}

What is missing?

bmorelli25 · April 29, 2020, 3:15pm

Hi Flavio,

Sorry for the confusion. We have an open issue to improve the documentation around required privileges for using API keys: apm-server/3566. You're missing the manage_api_key privilege on cluster.

Changing your apm_api_key role to include this privilege works on my end:

PUT _security/role/apm_api_key
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write",
        "event:write",
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

ffknob · April 29, 2020, 4:18pm

Thanks @bmorelli25 !

As a suggestion it would be nice if the error message could suggest just that: "User X unauthorized to Y. Maybe privilege Z missing?"

Elasticsearch has something like that when you have a mistake in your elasticsearch.yml.

Thanks for taking the time!

system · May 20, 2020, 12:18pm

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
APM ApiKey Failing with Unauthorized (Wrong permissions documented?) APM docker , go , server	11	3087	July 30, 2021
Unable to create api key APM server	3	3526	May 26, 2021
Unable to create apikey in APMServer after installing 7.9 APM server	13	766	September 23, 2020
Define apm-server api key in Elastic APM server	3	348	May 20, 2020
APM java agent and api_key APM java , server	12	1806	September 21, 2020

What are the privileges needed to create APM API key?

Related topics