Grant privileges and roles needed for writing events

edit

To minimize the privileges required by the writer role, use the setup role to pre-load dependencies. This section assumes that you’ve done that.

APM Server users that publish events to Elasticsearch need to create and write to apm-* indices, upload and read sourcemaps, read API keys from Elasticsearch, and perform self-instrumentation.

General writer role

edit

To grant an APM Server user the required privileges for writing events to Elasticsearch:

  1. Create a general writer role, called something like apm_writer, that has the following privileges:

    Type Privilege Purpose

    Index

    create_doc on apm-* indices

    Write events into Elasticsearch

    Index

    create_index on apm-* indices

    Create APM indices in Elasticsearch

  2. If real user monitoring and sourcemaps are enabled, assign the following additional privileges to the general writer role:

    Type Privilege Purpose

    Index

    read on apm-*sourcemap indices

    Read sourcemaps from Elasticsearch

  3. Assign the general writer role to users who need to publish APM Server data.

Specific writer roles

edit

Instead of creating a general writer role, individual publishing tasks, like writing events or uploading sourcemaps, can be performed by dedicated users with stricter privileges.

Sourcemap writer role
edit

To create an APM Server user that can write sourcemaps to Elasticsearch:

  1. Create a sourcemap writer role, called something like apm_sourcemap, that has the following privileges:

    Type Privilege Purpose

    Index

    create_doc on apm-* indices

    Write APM events into Elasticsearch

    Index

    create_index on apm-* indices

    Create APM indices in Elasticsearch

  2. Assign the sourcemap writer role to users who need to publish sourcemaps.