Create a cross-cluster API key | Elasticsearch API documentation

Create a cross-cluster API key Generally available

POST /_security/cross_cluster/api_key

Create an API key of the cross_cluster type for the API key based remote cluster access. A cross_cluster API key cannot be used to authenticate through the REST interface.

IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.

Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.

NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the access property.

A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

By default, API keys never expire. You can specify expiration information when you create the API keys.

Cross-cluster API keys can only be updated with the update cross-cluster API key API. Attempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.

highlight#highlightFromAnchor" href="#topic-required-authorization"> Required authorization

Cluster privileges: manage_security

External documentation

application/json

Body Required

access object Required
details#setActive"> Hide access attributes Show access attributes object
- replication array[object]
  
  A list of indices permission entries for cross-cluster replication.
  details#setActive"> Hide replication attributes Show replication attributes object
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-cross-cluster-api-key-body-application-json-access-replication-names" role="tab" aria-controls="operation-security-create-cross-cluster-api-key-body-application-json-access-replication-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-cross-cluster-api-key-body-application-json-access-replication-array-2-names-array-string" role="tab" aria-controls="operation-security-create-cross-cluster-api-key-body-application-json-access-replication-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  allow_restricted_indices boolean
  
  This needs to be set to true if the patterns in the names field should cover system indices.
  
  Default value is false.
- search array[object]
  
  A list of indices permission entries for cross-cluster search.
  details#setActive"> Hide search attributes Show search attributes object
  
  field_security object
  
  details#setActive"> Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-cross-cluster-api-key-body-application-json-access-search-names" role="tab" aria-controls="operation-security-create-cross-cluster-api-key-body-application-json-access-search-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-cross-cluster-api-key-body-application-json-access-search-array-2-names-array-string" role="tab" aria-controls="operation-security-create-cross-cluster-api-key-body-application-json-access-search-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-cross-cluster-api-key-body-application-json-access-search" role="tab" aria-controls="operation-security-create-cross-cluster-api-key-body-application-json-access-search" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-cross-cluster-api-key-body-application-json-access-search-querycontainer-object" role="tab" aria-controls="operation-security-create-cross-cluster-api-key-body-application-json-access-search-querycontainer-object" tabindex="0"> QueryContainer object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-create-cross-cluster-api-key-body-application-json-access-search-roletemplatequery-object" role="tab" aria-controls="operation-security-create-cross-cluster-api-key-body-application-json-access-search-roletemplatequery-object" tabindex="0"> RoleTemplateQuery object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  allow_restricted_indices boolean Generally available
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  Default value is false.
expiration string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
metadata object
details#setActive"> Hide metadata attribute Show metadata attribute object
- * object Additional properties
name string Required

Responses

200 application/json
details#setActive"> Hide response attributes Show response attributes object
- api_key string Required
  
  Generated API key.
- expiration number
  
  Time unit for milliseconds
- id string Required
- name string Required
- encoded string Required
  
  API key credentials which is the base64-encoding of the UTF-8 representation of id and api_key joined by a colon (:).

POST /_security/cross_cluster/api_key

POST /_security/cross_cluster/api_key
{
  "name": "my-cross-cluster-api-key",
  "expiration": "1d",   
  "access": {
    "search": [  
      {
        "names": ["logs*"]
      }
    ],
    "replication": [  
      {
        "names": ["archive*"]
      }
    ]
  },
  "metadata": {
    "description": "phase one",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}

resp = client.security.create_cross_cluster_api_key(
    name="my-cross-cluster-api-key",
    expiration="1d",
    access={
        "search": [
            {
                "names": [
                    "logs*"
                ]
            }
        ],
        "replication": [
            {
                "names": [
                    "archive*"
                ]
            }
        ]
    },
    metadata={
        "description": "phase one",
        "environment": {
            "level": 1,
            "trusted": True,
            "tags": [
                "dev",
                "staging"
            ]
        }
    },
)

const response = await client.security.createCrossClusterApiKey({
  name: "my-cross-cluster-api-key",
  expiration: "1d",
  access: {
    search: [
      {
        names: ["logs*"],
      },
    ],
    replication: [
      {
        names: ["archive*"],
      },
    ],
  },
  metadata: {
    description: "phase one",
    environment: {
      level: 1,
      trusted: true,
      tags: ["dev", "staging"],
    },
  },
});

response = client.security.create_cross_cluster_api_key(
  body: {
    "name": "my-cross-cluster-api-key",
    "expiration": "1d",
    "access": {
      "search": [
        {
          "names": [
            "logs*"
          ]
        }
      ],
      "replication": [
        {
          "names": [
            "archive*"
          ]
        }
      ]
    },
    "metadata": {
      "description": "phase one",
      "environment": {
        "level": 1,
        "trusted": true,
        "tags": [
          "dev",
          "staging"
        ]
      }
    }
  }
)

$resp = $client->security()->createCrossClusterApiKey([
    "body" => [
        "name" => "my-cross-cluster-api-key",
        "expiration" => "1d",
        "access" => [
            "search" => array(
                [
                    "names" => array(
                        "logs*",
                    ),
                ],
            ),
            "replication" => array(
                [
                    "names" => array(
                        "archive*",
                    ),
                ],
            ),
        ],
        "metadata" => [
            "description" => "phase one",
            "environment" => [
                "level" => 1,
                "trusted" => true,
                "tags" => array(
                    "dev",
                    "staging",
                ),
            ],
        ],
    ],
]);

curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"name":"my-cross-cluster-api-key","expiration":"1d","access":{"search":[{"names":["logs*"]}],"replication":[{"names":["archive*"]}]},"metadata":{"description":"phase one","environment":{"level":1,"trusted":true,"tags":["dev","staging"]}}}' "$ELASTICSEARCH_URL/_security/cross_cluster/api_key"

client.security().createCrossClusterApiKey(c -> c
    .access(a -> a
        .replication(r -> r
            .names("archive*")
        )
        .search(s -> s
            .names("logs*")
        )
    )
    .expiration(e -> e
        .time("1d")
    )
    .metadata(Map.of("environment", JsonData.fromJson("{\"level\":1,\"trusted\":true,\"tags\":[\"dev\",\"staging\"]}"),"description", JsonData.fromJson("\"phase one\"")))
    .name("my-cross-cluster-api-key")
);

Request example

Run `POST /_security/cross_cluster/api_key` to create a cross-cluster API key.

{
  "name": "my-cross-cluster-api-key",
  "expiration": "1d",   
  "access": {
    "search": [  
      {
        "names": ["logs*"]
      }
    ],
    "replication": [  
      {
        "names": ["archive*"]
      }
    ]
  },
  "metadata": {
    "description": "phase one",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}

Response examples (200)

A successful response from `POST /_security/service/elastic/fleet-server/credential/token`.

{
  "created": true,
  "token": {
    "name": "Jk5J1HgBuyBK5TpDrdo4",
    "value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ"
  }
}

Create a cross-cluster API key Generally available

highlight#highlightFromAnchor" href="#topic-required-authorization"> Required authorization

Body Required

names string | array[string] Required

names string | array[string] Required

query string | object

Responses