What are the privileges needed to create APM API key?

ffknob · April 29, 2020, 1:09pm

Hi

I'm setting an APM server up. Need some help with the API keys configuration...

This is what I did so far:

Created a role with the privileges listed in the docs. (notice the last one, the apm_api_key)

POST /_security/role/apm_setup
{
  "cluster": [
    "monitor",
    "manage_ilm"
  ],
  "indices": [
    {
      "names": [
        "apm-*"
      ],
      "privileges": [
        "manage"
      ]
    }
  ]
}
 
POST /_security/role/apm_monitoring
{
  "cluster": [
    "monitor"
  ],
  "indices": [
    {
      "names": [
        ".monitoring-beats-*"
      ],
      "privileges": [
        "create_index",
        "create_doc"
      ]
    }
  ]
}
 
POST /_security/role/apm_writer
{
  "cluster": [
    "monitor",
    "manage_ilm"
  ],
  "indices": [
    {
      "names": [
        "apm-*"
      ],
      "privileges": [
        "create_index",
        "view_index_metadata",
        "create_doc"
      ]
    }
  ]
}
 
POST /_security/role/apm_reader
{
  "indices": [
    {
      "names": [
        "apm-*"
      ],
      "privileges": [
        "read"
      ]
    }
  ]
}
 
PUT _security/role/apm_api_key
{
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write",
        "event:write",
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

Assigned those roles to the monitor user.
...but when I try to create the key:

$ ./apm-server apikey create --name apm-demo --ingest --sourcemap
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/xpack/security/api_key/create] is unauthorized for user [monitor]"}],"type":"security_exception","reason":"action [cluster:admin/xpack/security/api_key/create] is unauthorized for user [monitor]"},"status":403}

What is missing?

bmorelli25 · April 29, 2020, 3:15pm

Hi Flavio,

Sorry for the confusion. We have an open issue to improve the documentation around required privileges for using API keys: apm-server/3566. You're missing the manage_api_key privilege on cluster.

Changing your apm_api_key role to include this privilege works on my end:

PUT _security/role/apm_api_key
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write",
        "event:write",
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

ffknob · April 29, 2020, 4:18pm

Thanks @bmorelli25 !

As a suggestion it would be nice if the error message could suggest just that: "User X unauthorized to Y. Maybe privilege Z missing?"

Elasticsearch has something like that when you have a mistake in your elasticsearch.yml.

Thanks for taking the time!

system · May 20, 2020, 12:18pm

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.