Create API key API
editCreate API key API
editCreates an API key for access without requiring basic authentication.
Request
editPOST /_security/api_key
PUT /_security/api_key
Prerequisites
edit-
To use this API, you must have at least the
manage_api_key
cluster privilege.
Description
editThe API keys are created by the Elasticsearch API key service, which is automatically enabled
when you configure TLS on the HTTP interface. See Encrypting HTTP client communications. Alternatively,
you can explicitly enable the xpack.security.authc.api_key.enabled
setting. When
you are running in production mode, a bootstrap check prevents you from enabling
the API key service unless you also enable TLS on the HTTP interface.
A successful create API key API call returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds.
By default, API keys never expire. You can specify expiration information when you create the API keys.
See API key service settings for configuration settings related to API key service.
Request body
editThe following parameters can be specified in the body of a POST or PUT request:
-
name
- (Required, string) Specifies the name for this API key.
-
role_descriptors
- (Optional, array-of-role-descriptor) An array of role descriptors for this API key. This parameter is optional. When it is not specified or is an empty array, then the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors then the resultant permissions would be an intersection of API keys permissions and authenticated user’s permissions thereby limiting the access scope for API keys. The structure of role descriptor is the same as the request for create role API. For more details, see create or update roles API.
-
expiration
- (Optional, string) Expiration time for the API key. By default, API keys never expire.
Examples
editThe following example creates an API key:
POST /_security/api_key { "name": "my-api-key", "expiration": "1d", "role_descriptors": { "role-a": { "cluster": ["all"], "index": [ { "names": ["index-a*"], "privileges": ["read"] } ] }, "role-b": { "cluster": ["all"], "index": [ { "names": ["index-b*"], "privileges": ["all"] } ] } } }
optional expiration for the API key being generated. If expiration is not provided then the API keys do not expire. |
|
optional role descriptors for this API key, if not provided then permissions of authenticated user are applied. |
A successful call returns a JSON structure that provides API key information.
{ "id":"VuaCfGcBCdbkQm-e5aOx", "name":"my-api-key", "expiration":1544068612110, "api_key":"ui2lp2axTNmsyakw9tvNnw" }
The API key returned by this API can then be used by sending a request with a
Authorization
header with a value having the prefix ApiKey
followed
by the credentials, where credentials is the base64 encoding of id
and api_key
joined by a colon.
curl -H "Authorization: ApiKey VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" http://localhost:9200/_cluster/health