Update an API key | Elasticsearch API documentation

Update an API key Generally available; Added in 8.4.0

PUT /_security/api_key/{id}

Update attributes of an existing API key. This API supports updates to an API key's access scope, expiration, and metadata.

To use this API, you must have at least the manage_own_api_key cluster privilege. Users can only update API keys that they created or that were granted to them. To update another user’s API key, use the run_as feature to submit a request on behalf of another user.

IMPORTANT: It's not possible to use an API key as the authentication credential for this API. The owner user’s credentials are required.

Use this API to update API keys created by the create API key or grant API Key APIs. If you need to apply the same update to many API keys, you can use the bulk update API keys API to reduce overhead. It's not possible to update expired API keys or API keys that have been invalidated by the invalidate API key API.

The access scope of an API key is derived from the role_descriptors you specify in the request and a snapshot of the owner user's permissions at the time of the request. The snapshot of the owner's permissions is updated automatically on every call.

IMPORTANT: If you don't specify role_descriptors in the request, a call to this API might still change the API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified.

highlight#highlightFromAnchor" href="#topic-required-authorization"> Required authorization

Cluster privileges: manage_own_api_key

Path parameters

id string Required

The ID of the API key to update.

application/json

Body

role_descriptors object

The role descriptors to assign to this API key. The API key's effective permissions are an intersection of its assigned privileges and the point in time snapshot of permissions of the owner user. You can assign new privileges by specifying them in this parameter. To remove assigned privileges, you can supply an empty role_descriptors parameter, that is to say, an empty object {}. If an API key has no assigned privileges, it inherits the owner user's full permissions. The snapshot of the owner's permissions is always updated, whether you supply the role_descriptors parameter or not. The structure of a role descriptor is the same as the request for the create API keys API.
details#setActive"> Hide role_descriptors attribute Show role_descriptors attribute object
- * object Additional properties
  details#setActive"> Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  details#setActive"> Hide indices attributes Show indices attributes object
  
  field_security object
  
  details#setActive"> Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-indices-names" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-indices-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-indices-array-2-names-array-string" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-indices-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-indices" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-indices" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-indices-querycontainer-object" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-indices-querycontainer-object" tabindex="0"> QueryContainer object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-indices-roletemplatequery-object" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-indices-roletemplatequery-object" tabindex="0"> RoleTemplateQuery object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  allow_restricted_indices boolean Generally available
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  Default value is false.
  
  remote_indices array[object] Generally available; Added in 8.14.0
  
  A list of indices permissions for remote clusters.
  
  The subset of index level privileges that can be defined for remote clusters.
  
  details#setActive"> Hide remote_indices attributes Show remote_indices attributes object
  
  clusters string | array[string] Required
  
  field_security object
  
  details#setActive"> Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string] Required
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-names" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-names" tabindex="0"> IndexName string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-array-2-names-array-string" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-array-2-names-array-string" tabindex="0"> array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-remote_indices" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-remote_indices" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-querycontainer-object" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-querycontainer-object" tabindex="0"> QueryContainer object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-roletemplatequery-object" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-remote_indices-roletemplatequery-object" tabindex="0"> RoleTemplateQuery object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  allow_restricted_indices boolean Generally available
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  Default value is false.
  
  remote_cluster array[object] Generally available; Added in 8.15.0
  
  A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.
  
  The subset of cluster level privileges that can be defined for remote clusters.
  
  details#setActive"> Hide remote_cluster attributes Show remote_cluster attributes object
  
  clusters string | array[string] Required
  
  privileges array[string] Required
  
  The cluster level privileges that owners of the role have on the remote cluster.
  
  Values are monitor_enrich or monitor_stats.
  
  global array[object] | object
  
  An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-global" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-global" tabindex="0"> array-1 array[object] tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-update-api-key-body-application-json-role_descriptors-globalprivilege-global-object" role="tab" aria-controls="operation-security-update-api-key-body-application-json-role_descriptors-globalprivilege-global-object" tabindex="0"> GlobalPrivilege object
  
  details#setActive"> Hide attribute Show attribute object
  
  application object Required
  
  details#setActive"> Hide application attribute Show application attribute object
  
  manage object Required
  
  details#setActive"> Hide attribute Show attribute
  
  application object Required
  
  details#setActive"> Hide application attribute Show application attribute object
  
  manage object Required
  
  details#setActive"> Hide manage attribute Show manage attribute object
  
  applications array[string] Required
  
  applications array[object]
  
  A list of application privilege entries
  
  details#setActive"> Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  metadata object
  
  details#setActive"> Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  restriction object
  
  details#setActive"> Hide restriction attribute Show restriction attribute object
  
  workflows array[string] Required
  
  A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.
  
  transient_metadata object
  
  details#setActive"> Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
metadata object
details#setActive"> Hide metadata attribute Show metadata attribute object
- * object Additional properties
expiration string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

Responses

200 application/json
details#setActive"> Hide response attribute Show response attribute object
- updated boolean Required
  
  If true, the API key was updated. If false, the API key didn't change because no change was detected.

PUT /_security/api_key/{id}

PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx
{
  "role_descriptors": {
    "role-a": {
      "indices": [
        {
          "names": ["*"],
          "privileges": ["write"]
        }
      ]
    }
  },
  "metadata": {
    "environment": {
      "level": 2,
      "trusted": true,
      "tags": ["production"]
    }
  }
}

resp = client.security.update_api_key(
    id="VuaCfGcBCdbkQm-e5aOx",
    role_descriptors={
        "role-a": {
            "indices": [
                {
                    "names": [
                        "*"
                    ],
                    "privileges": [
                        "write"
                    ]
                }
            ]
        }
    },
    metadata={
        "environment": {
            "level": 2,
            "trusted": True,
            "tags": [
                "production"
            ]
        }
    },
)

const response = await client.security.updateApiKey({
  id: "VuaCfGcBCdbkQm-e5aOx",
  role_descriptors: {
    "role-a": {
      indices: [
        {
          names: ["*"],
          privileges: ["write"],
        },
      ],
    },
  },
  metadata: {
    environment: {
      level: 2,
      trusted: true,
      tags: ["production"],
    },
  },
});

response = client.security.update_api_key(
  id: "VuaCfGcBCdbkQm-e5aOx",
  body: {
    "role_descriptors": {
      "role-a": {
        "indices": [
          {
            "names": [
              "*"
            ],
            "privileges": [
              "write"
            ]
          }
        ]
      }
    },
    "metadata": {
      "environment": {
        "level": 2,
        "trusted": true,
        "tags": [
          "production"
        ]
      }
    }
  }
)

$resp = $client->security()->updateApiKey([
    "id" => "VuaCfGcBCdbkQm-e5aOx",
    "body" => [
        "role_descriptors" => [
            "role-a" => [
                "indices" => array(
                    [
                        "names" => array(
                            "*",
                        ),
                        "privileges" => array(
                            "write",
                        ),
                    ],
                ),
            ],
        ],
        "metadata" => [
            "environment" => [
                "level" => 2,
                "trusted" => true,
                "tags" => array(
                    "production",
                ),
            ],
        ],
    ],
]);

curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"role_descriptors":{"role-a":{"indices":[{"names":["*"],"privileges":["write"]}]}},"metadata":{"environment":{"level":2,"trusted":true,"tags":["production"]}}}' "$ELASTICSEARCH_URL/_security/api_key/VuaCfGcBCdbkQm-e5aOx"

client.security().updateApiKey(u -> u
    .id("VuaCfGcBCdbkQm-e5aOx")
    .metadata("environment", JsonData.fromJson("{\"level\":2,\"trusted\":true,\"tags\":[\"production\"]}"))
    .roleDescriptors("role-a", r -> r
        .indices(i -> i
            .names("*")
            .privileges("write")
        )
    )
);

Request examples

Run `PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx` to assign new role descriptors and metadata to an API key.

{
  "role_descriptors": {
    "role-a": {
      "indices": [
        {
          "names": ["*"],
          "privileges": ["write"]
        }
      ]
    }
  },
  "metadata": {
    "environment": {
      "level": 2,
      "trusted": true,
      "tags": ["production"]
    }
  }
}

Run `PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx` to remove the API key's previously assigned permissions. It will inherit the owner user's full permissions.

{
  "role_descriptors": {}
}

Response examples (200)

A successful response from `PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx`. The API key's effective permissions after the update will be the intersection of the supplied role descriptors and the owner user's permissions.

{
  "updated": true
}