Get service accounts APIedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Retrieves information about service accounts.

Currently, only the elastic/fleet-server service account is available.

Requestedit

GET /_security/service

GET /_security/service/<namespace>

GET /_security/service/<namespace>/<service>

Prerequisitesedit

  • To use this API, you must have at least the manage_service_account cluster privilege.

Descriptionedit

In production mode, service accounts require TLS on the HTTP interface. A runtime check prevents you from invoking any related APIs or authenticating with a service account token unless TLS is enabled on the HTTP interface. See encrypt HTTP client communications for Elasticsearch.

Path parametersedit

namespace
(Optional, string) Name of the namespace. Omit this parameter to retrieve information about all service accounts. If you omit this parameter, you must also omit the service parameter.
service
(Optional, string) Name of the service name. Omit this parameter to retrieve information about all service accounts that belong to the specified namespace.

Response bodyedit

A successful call returns a JSON object of service accounts. The API returns an empty object if no service account is found.

Examplesedit

To following request retrieves a service account for the elastic/fleet-server service account:

GET /_security/service/elastic/fleet-server
{
  "elastic/fleet-server": {
    "role_descriptor": {
      "cluster": [
        "monitor",
        "manage_own_api_key"
      ],
      "indices": [
        {
          "names": [
            "logs-*",
            "metrics-*",
            "traces-*",
            "synthetics-*",
            ".logs-endpoint.diagnostic.collection-*"
          ],
          "privileges": [
            "write",
            "create_index",
            "auto_configure"
          ],
          "allow_restricted_indices": false
        },
        {
          "names": [
            ".fleet-*"
          ],
          "privileges": [
            "read",
            "write",
            "monitor",
            "create_index",
            "auto_configure"
          ],
          "allow_restricted_indices": false
        }
      ],
      "applications": [],
      "run_as": [],
      "metadata": {},
      "transient_metadata": {
        "enabled": true
      }
    }
  }
}

Omit the namespace and service to retrieve all service accounts:

GET /_security/service