Grant privileges and roles needed for API key management

edit

This documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration.

You can configure API keys to authorize requests to APM Server. To create an APM Server user with the required privileges for creating and managing API keys:

  1. Create an API key role, called something like apm_api_key, that has the following cluster level privileges:

    Privilege Purpose

    manage_own_api_key

    Allow APM Server to create, retrieve, and invalidate API keys

  2. Depending on what the API key role will be used for, also assign the appropriate apm application-level privileges:

    • To receive Agent configuration, assign config_agent:read.
    • To ingest agent data, assign event:write.
    • To upload sourcemaps, assign sourcemap:write.
  3. Assign the API key role role to users that need to create and manage API keys. Users with this role can only create API keys that have the same or lower access rights.

Example API key role

edit

The following example assigns the required cluster privileges, and the ingest agent data apm API key application privileges to a role named apm_api_key:

PUT _security/role/apm_api_key 
{
  "cluster": [
    "manage_own_api_key" 
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "event:write" 
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

apm_api_key is the name of the role we’re assigning these privileges to. Any name can be used.

Required cluster privileges.

Required for API keys that will be used to ingest agent events.