Grant API key APIedit

Creates an API key on behalf of another user.

Requestedit

POST /_security/api_key/grant

Prerequisitesedit

  • To use this API, you must have the grant_api_key cluster privilege.

Descriptionedit

This API is similar to Create API keys, however it creates the API key for a user that is different than the user that runs the API.

The caller must have authentication credentials (either an access token, or a username and password) for the user on whose behalf the API key will be created. It is not possible to use this API to create an API key without that user’s credentials.

This API is intended be used by applications that need to create and manage API keys for end users, but cannot guarantee that those users have permission to create API keys on their own behalf (see Prerequisites). The API keys are created by the Elasticsearch API key service, which is automatically enabled when you configure TLS on the HTTP interface. See Encrypting HTTP client communications. Alternatively, you can explicitly enable the xpack.security.authc.api_key.enabled setting. When you are running in production mode, a bootstrap check prevents you from enabling the API key service unless you also enable TLS on the HTTP interface.

A successful grant API key API call returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

By default, API keys never expire. You can specify expiration information when you create the API keys.

See API key service settings for configuration settings related to API key service.

Request bodyedit

The following parameters can be specified in the body of a POST request:

access_token
(Required*, string) The user’s access token. If you specify the access_token grant type, this parameter is required. It is not valid with other grant types.
api_key

(Required, object) Defines the API key.

expiration
(Optional, string) Expiration time for the API key. By default, API keys never expire.
name
(Required, string) Specifies the name for this API key.
role_descriptors
(Optional, array-of-role-descriptor) An array of role descriptors for this API key. This parameter is optional. When it is not specified or is an empty array, the API key has a point in time snapshot of permissions of the specified user or access token. If you supply role descriptors, the resultant permissions are an intersection of API keys permissions and the permissions of the user or access token. The structure of role descriptor is the same as the request for create role API. For more details, see Create or update roles.
grant_type

(Required, string) The type of grant. Supported grant types are: access_token,password.

access_token
(Required*, string) In this type of grant, you must supply an access token that was created by the Elasticsearch token service. For more information, see Get token and Encrypting HTTP client communications.
password
In this type of grant, you must supply the user ID and password for which you want to create the API key.
password
(Optional*, string) The user’s password. If you specify the password grant type, this parameter is required. It is not valid with other grant types.
username
(Optional*, string) The user name that identifies the user. If you specify the password grant type, this parameter is required. It is not valid with other grant types.

Examplesedit

POST /_security/api_key/grant
{
  "grant_type": "password",
  "username" : "test_admin",
  "password" : "x-pack-test-password",
  "api_key" : {
    "name": "my-api-key",
    "expiration": "1d",
    "role_descriptors": {
      "role-a": {
        "cluster": ["all"],
        "index": [
          {
          "names": ["index-a*"],
          "privileges": ["read"]
          }
        ]
      },
      "role-b": {
        "cluster": ["all"],
        "index": [
          {
          "names": ["index-b*"],
          "privileges": ["all"]
          }
        ]
      }
    }
  }
}