Grant privileges and roles needed for setup

edit

Setting up APM Server is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.

Administrators who set up APM Server typically need to load the index template, set up ILM aliases, templates, and policies, and register ingest pipelines.

To grant users the required privileges for setup:

  1. Create a setup role, called something like apm_setup, that has the following privileges:

    Type Privilege Purpose

    Cluster

    manage_ilm

    All index lifecycle management operations related to managing policies

    Index

    manage on apm-* indices

    All index administration privileges

  2. Assign the setup role, along with the following built-in roles, to users who need to set up APM Server:

    Role Purpose

    ingest_admin

    Set up index templates and ingest pipelines

These instructions assume that you are using the default name for APM Server indices (apm-*). If you are using a custom index name, modify the privileges to match your index naming pattern.

Partial setup

edit

In some instances, you may want to create a less-privileged user for a specific setup task.

Set up index templates
edit

APM Server loads an index template to Elasticsearch at setup time. The following privileges are required for this task:

Type Privilege Purpose

Cluster

manage_index_template

All operations on index templates

See Elasticsearch index template for more information.

Set up ILM
edit

Index lifecycle management (ILM) allows you to automate the lifecycle of your APM Server indices as they grow and age. To set up and configure ILM, the following privileges are required:

Type Privilege Purpose

Cluster

manage_index_template

All operations on index templates

Cluster

manage_ilm

All index lifecycle management operations related to managing policies.

Index

manage on apm-* indices

All index administration privileges

See Index lifecycle management for more information.

Set up ingest pipelines
edit

Ingest pipelines allow you to pre-process documents in Elasticsearch before indexing them. The following privileges are required to manage pipelines:

Type Privilege Purpose

Cluster

manage_pipeline

All operations on ingest pipelines

See pipeline for more information.