Using the superuser elastic API keys to access the Elasticsearch API is not recommended.
The API key is often used by remote clients on remote systems. Any attacker who might get access to the
token, can compromise the entire Elasticsearch instance.
The solution is to use API keys for unprivileged roles and users. Creating these API keys, however, is not
straightforward. Unprivileged users usually don’t have permission to log in and create the API keys for themselves.
Run the following request as superuser to create API keys on behalf of unprivileged users, for example, in the /app/dev_tools#/console console.
POST /_security/api_key/grant
{
"grant_type": "password",
"username": "elastic",
"password": "YOUR SUPERUSER PASSWORD",
"run_as": "UNPRIVILEGED USERNAME",
"api_key": {
"name": "NEW NAME FOR THAT API KEY"
}
}
More details can be found in the API docs.
Dedicated API keys with restricted permissions
Creating tokens for dedicated tasks, for example for Filebeat or Metricbeat clients, can be achieved through another endpoint.
Create an API key for Metricbeat clients with the following request. See the API docs for more details.
POST /_security/api_key
{
"name": "API KEY NAME",
"role_descriptors": {
"metricbeat_writer": {
"cluster": ["monitor", "read_ilm", "read_pipeline"],
"index": [
{
"names": ["metricbeat-*"],
"privileges": ["view_index_metadata", "create_doc", "auto_configure"]
}
]
}
}
}
Create an API key for Filebeat clients with the following request. See the API docs for more details.
POST /_security/api_key
{
"name": "API KEY NAME",
"role_descriptors": {
"filebeat_writer": {
"cluster": ["monitor", "read_ilm", "read_pipeline"],
"index": [
{
"names": ["filebeat-*"],
"privileges": ["view_index_metadata", "create_doc", "auto_configure"]
}
]
}
}
}
This might also interest you