Grant access using API keys

edit

Grant access using API keys

edit

Instead of using usernames and passwords, you can use API keys to grant access to Elasticsearch resources. You can set API keys to expire at a certain time, and you can explicitly invalidate them. Any user with the manage_api_key or manage_own_api_key cluster privilege can create API keys.

Auditbeat instances typically send both collected data and monitoring information to Elasticsearch. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.

For security reasons, we recommend using a unique API key per Auditbeat instance. You can create as many API keys per user as necessary.

Review Grant users access to secured resources before creating API keys for Auditbeat.

Create an API key for publishing

edit

To create an API key to use for writing data to Elasticsearch, use the Create API key API, for example:

POST /_security/api_key
{
  "name": "auditbeat_host001", 
  "role_descriptors": {
    "auditbeat_writer": { 
      "cluster": ["monitor", "read_ilm", "read_pipeline"],
      "index": [
        {
          "names": ["auditbeat-*"],
          "privileges": ["view_index_metadata", "create_doc"]
        }
      ]
    }
  }
}

Name of the API key

Granted privileges, see Grant users access to secured resources

See Create a publishing user for the list of privileges required to publish events.

The return value will look something like this:

{
  "id":"TiNAGG4BaaMdaH1tRfuU", 
  "name":"auditbeat_host001",
  "api_key":"KnR6yE41RrSowb0kQ0HWoA" 
}

Unique id for this API key

Generated API key

You can now use this API key in your auditbeat.yml configuration file like this:

output.elasticsearch:
  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA 

Format is id:api_key (as returned by Create API key)

Create an API key for monitoring

edit

To create an API key to use for sending monitoring data to Elasticsearch, use the Create API key API, for example:

POST /_security/api_key
{
  "name": "auditbeat_host001", 
  "role_descriptors": {
    "auditbeat_monitoring": { 
      "cluster": ["monitor"],
      "index": [
        {
          "names": [".monitoring-beats-*"],
          "privileges": ["create_index", "create"]
        }
      ]
    }
  }
}

Name of the API key

Granted privileges, see Grant users access to secured resources

See Create a monitoring user for the list of privileges required to send monitoring data.

The return value will look something like this:

{
  "id":"TiNAGG4BaaMdaH1tRfuU", 
  "name":"auditbeat_host001",
  "api_key":"KnR6yE41RrSowb0kQ0HWoA" 
}

Unique id for this API key

Generated API key

You can now use this API key in your auditbeat.yml configuration file like this:

monitoring.elasticsearch:
  api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA 

Format is id:api_key (as returned by Create API key)

Learn more about API keys

edit

See the Elasticsearch API key documentation for more information: