Grant privileges and roles needed for API key managementedit

You can configure API keys to authorize requests to APM Server. To create an APM Server user with the required privileges for creating and managing API keys:

  1. Create an API key role, called something like apm_api_key, that has the following cluster level privileges:

    Privilege Purpose


    Allow APM Server to create, retrieve, and invalidate API keys

  2. Depending on what the API key role will be used for, also assign the appropriate apm application-level privileges:

    • To receive Agent configuration, assign config_agent:read.
    • To ingest agent data, assign event:write.
    • To upload source maps, assign sourcemap:write.
  3. Assign the API key role to users that need to create and manage API keys. Users with this role can only create API keys that have the same or lower access rights.
Example API key roleedit

The following example assigns the required cluster privileges, and the ingest agent data apm API key application privileges to a role named apm_api_key:

PUT _security/role/apm_api_key 
  "cluster": [
  "applications": [
      "application": "apm",
      "privileges": [
      "resources": [

apm_api_key is the name of the role we’re assigning these privileges to. Any name can be used.

Required cluster privileges.

Required for API keys that will be used to ingest agent events.