Grant privileges and roles needed for API key managementedit

You can configure API keys to authorize requests to APM Server. To create an APM Server user with the required privileges for creating and managing API keys:

  1. Create an API key role, called something like apm_api_key, that has the following cluster level privileges:

    Privilege Purpose


    Allow APM Server to create, retrieve, and invalidate API keys

  2. Depending on what the API key role will be used for, also assign any or all of the following apm application level privileges:

    • To receive Agent configuration, assign config_agent:read.
    • To ingest agent data, assign event:write.
    • To upload sourcemaps, assign sourcemap:write.
  3. Assign the API key role role to users that need to create and manage API keys.

Example API key roleedit

The following example assigns the required cluster privileges, and all three apm API key application privileges to a role named apm_api_key:

PUT _security/role/apm_api_key 
  "cluster": [
  "applications": [
      "application": "apm",
      "privileges": [
      "resources": [

apm_api_key is the name of the role we’re assigning these privileges to. Any name can be used.

Required cluster privileges.

Required for API keys that will be used in sourcemap uploads.

Required for API keys that will be used to ingest agent events.

Required for API keys that will be used for Agent configuration.