Grant privileges and roles needed for writing events
editGrant privileges and roles needed for writing events
editTo minimize the privileges required by the writer role, use the setup role to pre-load dependencies. This section assumes that you’ve done that.
APM Server users that publish events to Elasticsearch need to create and write to apm-*
indices, upload and read sourcemaps, read API keys from Elasticsearch, and perform self-instrumentation.
General writer role
editTo grant an APM Server user the required privileges for writing events to Elasticsearch:
-
Create a general writer role, called something like
apm_writer
, that has the following privileges:Type Privilege Purpose Index
create_doc
onapm-*
indicesWrite events into Elasticsearch
Index
create_index
onapm-*
indicesCreate APM indices in Elasticsearch
-
If real user monitoring and sourcemaps are enabled, assign the following additional privileges to the general writer role:
Type Privilege Purpose Index
read
onapm-*sourcemap
indicesRead sourcemaps from Elasticsearch
- Assign the general writer role to users who need to publish APM Server data.
Specific writer roles
editInstead of creating a general writer role, individual publishing tasks, like writing events or uploading sourcemaps, can be performed by dedicated users with stricter privileges.
Sourcemap writer role
editTo create an APM Server user that can write sourcemaps to Elasticsearch:
-
Create a sourcemap writer role, called something like
apm_sourcemap
, that has the following privileges:Type Privilege Purpose Index
create_doc
onapm-*
indicesWrite APM events into Elasticsearch
Index
create_index
onapm-*
indicesCreate APM indices in Elasticsearch
- Assign the sourcemap writer role to users who need to publish sourcemaps.