Observability: other versions:
What is Elastic Observability?
What’s new in 8.12
Get started
- Logs and metrics
- Traces and APM
- Data from Splunk
Observability AI Assistant
Application performance monitoring (APM)
- Self manage APM Server
  - APM Server binary
  - Fleet-managed APM Server
- Data Model
  - Spans
  - Transactions
  - Errors
  - Metrics
  - Metadata
- Features
- How-to guides
- OpenTelemetry integration
- Manage storage
- Configure
- Advanced setup
- Secure communication
  - With APM agents
  - With the Elastic Stack
- Monitor
- API
- Troubleshoot
- Upgrade
- Release notes
- Known issues
Logs
- Stream any log file
- Parse and organize logs
- Filter and aggregate logs
- Stream application logs
- Log monitoring
- Logs index template reference
- Troubleshoot logs
Infrastructure monitoring
- View infrastructure metrics by resource type
- Explore infrastructure metrics over time
- Analyze and compare hosts
- Detect metric anomalies
- Configure settings
- Metrics reference
AWS monitoring
- Monitor EC2
- Monitor Kinesis data streams
- Monitor S3
- Monitor SQS
Synthetic monitoring
- Get started
  - Use Project monitors
  - Use the Synthetics app
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure projects
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Use Synthetics with traffic filters
- Migrate from the Elastic Synthetics integration
- Scale and architect a deployment
- Synthetics support matrix
- Synthetics Encryption and Security
- Troubleshooting
Uptime monitoring
- Get started with Uptime
- Analyze
- Configure settings
- Troubleshoot mapping issues
Real user monitoring
Universal Profiling
- Get started
- Manage data storage
  - Index lifecycle management
  - Configure probabilistic profiling
- Advanced configuration
- Upgrade
- Troubleshoot
Alerting
- Create and manage rules
- View alerts
Service-level objectives (SLOs)
- Configure SLO access
- Create an SLO
Cases
- Configure access to cases
- Open and manage new cases
- Configure external connectors
CI/CD observability
Troubleshooting
- Explore data
- Inspect
Fields reference
- Logs app fields
- Infrastructure app fields
Tutorials
- Monitor Amazon Web Services (AWS) with Elastic Agent
- Monitor Amazon Web Services (AWS) with Beats
- Monitor Google Cloud Platform
  - GCP Dataflow templates
- Monitor a Java application
- Monitor Kubernetes
- Monitor Microsoft Azure with Elastic Agent
- Monitor Microsoft Azure with the Azure Native ISV Service
- Monitor Microsoft Azure with Beats

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Grant privileges and roles needed for monitoring Grant privileges and roles needed for APM Agent central configuration »

› › › ›

Grant privileges and roles needed for API key management

edit

Grant privileges and roles needed for API key management

edit

You can configure API keys to authorize requests to APM Server. To create an APM Server user with the required privileges for creating and managing API keys:

Create an API key role, called something like apm_api_key, that has the following cluster level privileges:

Privilege Purpose

manage_own_api_key

Allow APM Server to create, retrieve, and invalidate API keys
Depending on what the API key role will be used for, also assign the appropriate apm application-level privileges:
- To receive Agent configuration, assign config_agent:read.
- To ingest agent data, assign event:write.
- To upload source maps, assign sourcemap:write.
Assign the API key role to users that need to create and manage API keys. Users with this role can only create API keys that have the same or lower access rights.

Privilege	Purpose
`manage_own_api_key`	Allow APM Server to create, retrieve, and invalidate API keys

Example API key role

edit

The following example assigns the required cluster privileges, and the ingest agent data apm API key application privileges to a role named apm_api_key:

PUT _security/role/apm_api_key 
{
  "cluster": [
    "manage_own_api_key" 
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "event:write" 
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

Copy as curl

	`apm_api_key` is the name of the role we’re assigning these privileges to. Any name can be used.
	Required cluster privileges.
	Required for API keys that will be used to ingest agent events.

« Grant privileges and roles needed for monitoring Grant privileges and roles needed for APM Agent central configuration »

On this page

Example API key role

Was this helpful?

Feedback

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

Grant privileges and roles needed for API key management

Grant privileges and roles needed for API key management

Example API key role

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards