Update an API key
Added in 8.4.0
Update attributes of an existing API key. This API supports updates to an API key's access scope, expiration, and metadata.
To use this API, you must have at least the manage_own_api_key cluster privilege.
Users can only update API keys that they created or that were granted to them.
To update another user’s API key, use the run_as feature to submit a request on behalf of another user.
IMPORTANT: It's not possible to use an API key as the authentication credential for this API. The owner user’s credentials are required.
Use this API to update API keys created by the create API key or grant API Key APIs. If you need to apply the same update to many API keys, you can use the bulk update API keys API to reduce overhead. It's not possible to update expired API keys or API keys that have been invalidated by the invalidate API key API.
The access scope of an API key is derived from the role_descriptors you specify in the request and a snapshot of the owner user's permissions at the time of the request.
The snapshot of the owner's permissions is updated automatically on every call.
IMPORTANT: If you don't specify role_descriptors in the request, a call to this API might still change the API key's access scope.
This change can occur if the owner user's permissions have changed since the API key was created or last modified.
Path parameters
-
id
string Required The ID of the API key to update.
Body
-
role_descriptors
object The role descriptors to assign to this API key. The API key's effective permissions are an intersection of its assigned privileges and the point in time snapshot of permissions of the owner user. You can assign new privileges by specifying them in this parameter. To remove assigned privileges, you can supply an empty
role_descriptorsparameter, that is to say, an empty object{}. If an API key has no assigned privileges, it inherits the owner user's full permissions. The snapshot of the owner's permissions is always updated, whether you supply therole_descriptorsparameter or not. The structure of a role descriptor is the same as the request for the create API keys API. -
metadata
object -
expiration
string A duration. Units can be
nanos,micros,ms(milliseconds),s(seconds),m(minutes),h(hours) andd(days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
curl \
--request PUT 'http://api.example.com/_security/api_key/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\n \"role_descriptors\": {\n \"role-a\": {\n \"indices\": [\n {\n \"names\": [\"*\"],\n \"privileges\": [\"write\"]\n }\n ]\n }\n },\n \"metadata\": {\n \"environment\": {\n \"level\": 2,\n \"trusted\": true,\n \"tags\": [\"production\"]\n }\n }\n}"'{
"role_descriptors": {
"role-a": {
"indices": [
{
"names": ["*"],
"privileges": ["write"]
}
]
}
},
"metadata": {
"environment": {
"level": 2,
"trusted": true,
"tags": ["production"]
}
}
}{
"role_descriptors": {}
}{
"updated": true
}