Bulk update API keys Generally available; Added in 8.5.0

POST /_security/api_key/_bulk_update
Api key auth Basic auth Bearer auth

Update the attributes for multiple API keys.

IMPORTANT: It is not possible to use an API key as the authentication credential for this API. To update API keys, the owner user's credentials are required.

This API is similar to the update API key API but enables you to apply the same update to multiple API keys in one API call. This operation can greatly improve performance over making individual updates.

It is not possible to update expired or invalidated API keys.

This API supports updates to API key access scope, metadata and expiration. The access scope of each API key is derived from the role_descriptors you specify in the request and a snapshot of the owner user's permissions at the time of the request. The snapshot of the owner's permissions is updated automatically on every call.

IMPORTANT: If you don't specify role_descriptors in the request, a call to this API might still change an API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified.

A successful request returns a JSON structure that contains the IDs of all updated API keys, the IDs of API keys that already had the requested changes and did not require an update, and error details for any failed update.

Required authorization

  • Cluster privileges: manage_own_api_key
application/json

Body Required

  • expiration string

    Expiration time for the API keys. By default, API keys never expire. This property can be omitted to leave the value unchanged.

  • ids string | array[string] Required

    The API key identifiers.

    One of:
    string-1 string array-2 array[string]
  • metadata object

    Arbitrary nested metadata to associate with the API keys. Within the metadata object, top-level keys beginning with an underscore (_) are reserved for system usage. Any information specified with this parameter fully replaces metadata previously associated with the API key.

    Hide metadata attribute Show metadata attribute object
    • * object Additional properties
  • role_descriptors object

    The role descriptors to assign to the API keys. An API key's effective permissions are an intersection of its assigned privileges and the point-in-time snapshot of permissions of the owner user. You can assign new privileges by specifying them in this parameter. To remove assigned privileges, supply the role_descriptors parameter as an empty object {}. If an API key has no assigned privileges, it inherits the owner user's full permissions. The snapshot of the owner's permissions is always updated, whether you supply the role_descriptors parameter. The structure of a role descriptor is the same as the request for the create API keys API.

    Hide role_descriptors attribute Show role_descriptors attribute object
    • * object Additional properties
      Hide * attributes Show * attributes object
      • cluster array[string]

        A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

      • indices array[object]

        A list of indices permissions entries.

        Hide indices attributes Show indices attributes object
        • field_security object

          The document fields that the owners of the role have read access to.

        • names string | array[string] Required

          A list of indices (or index name patterns) to which the permissions in this entry apply.

          One of:
          IndexName string array-2 array[string]
        • privileges array[string] Required

          The index level privileges that owners of the role have on the specified indices.

        • query string | object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          One of:
          string-1 string QueryContainer object RoleTemplateQuery object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        • allow_restricted_indices boolean Generally available

          Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

          Default value is false.

      • remote_indices array[object] Generally available; Added in 8.14.0

        A list of indices permissions for remote clusters.

        The subset of index level privileges that can be defined for remote clusters.

        Hide remote_indices attributes Show remote_indices attributes object
        • clusters string | array[string] Required

          A list of cluster aliases to which the permissions in this entry apply.

        • field_security object

          The document fields that the owners of the role have read access to.

        • names string | array[string] Required

          A list of indices (or index name patterns) to which the permissions in this entry apply.

          One of:
          IndexName string array-2 array[string]
        • privileges array[string] Required

          The index level privileges that owners of the role have on the specified indices.

        • query string | object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          One of:
          string-1 string QueryContainer object RoleTemplateQuery object

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

          A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        • allow_restricted_indices boolean Generally available

          Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

          Default value is false.

      • remote_cluster array[object] Generally available; Added in 8.15.0

        A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

        The subset of cluster level privileges that can be defined for remote clusters.

        Hide remote_cluster attributes Show remote_cluster attributes object
        • clusters string | array[string] Required

          A list of cluster aliases to which the permissions in this entry apply.

        • privileges array[string] Required

          The cluster level privileges that owners of the role have on the remote cluster.

          Values are monitor_enrich or monitor_stats.

      • global array[object] | object

        An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

        One of:
        array-1 array[object] GlobalPrivilege object
        Hide attribute Show attribute object
        • application object Required
      • applications array[object]

        A list of application privilege entries

        Hide applications attributes Show applications attributes object
        • application string Required

          The name of the application to which this entry applies.

        • privileges array[string] Required

          A list of strings, where each element is the name of an application privilege or action.

        • resources array[string] Required

          A list resources to which the privileges are applied.

      • metadata object

        Optional meta-data. Within the metadata object, keys that begin with _ are reserved for system usage.

        Hide metadata attribute Show metadata attribute object
        • * object Additional properties
      • run_as array[string]

        A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

      • description string

        Optional description of the role descriptor

      • restriction object

        Restriction for when the role descriptor is allowed to be effective.

        Hide restriction attribute Show restriction attribute object
        • workflows array[string] Required

          A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.

      • transient_metadata object
        Hide transient_metadata attribute Show transient_metadata attribute object
        • * object Additional properties

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • errors object
      Hide errors attributes Show errors attributes object
      • count number Required

        The number of errors

      • details object Required

        Details about the errors, keyed by role name

        Hide details attribute Show details attribute object
        • * object

          Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

          Hide * attributes Show * attributes object
          • type string Required

            The type of error

          • reason string | null

            A human-readable explanation of the error, in English.

            One of:
            string-1 string string-2 string | null
          • stack_trace string

            The server stack trace. Present only if the error_trace=true parameter was sent with the request.

          • caused_by object

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

          • root_cause array[object]

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

          • suppressed array[object]

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

            Cause and details about a request failure. This class defines the properties common to all error types. Additional details are also provided, that depend on the error type.

    • noops array[string] Required
    • updated array[string] Required
POST /_security/api_key/_bulk_update 
POST /_security/api_key/_bulk_update
{
  "ids": [
    "VuaCfGcBCdbkQm-e5aOx",
    "H3_AhoIBA9hmeQJdg7ij"
  ],
  "role_descriptors": {
    "role-a": {
      "indices": [
        {
          "names": [
            "*"
          ],
          "privileges": [
            "write"
          ]
        }
      ]
    }
  },
  "metadata": {
    "environment": {
      "level": 2,
      "trusted": true,
      "tags": [
        "production"
      ]
    }
  },
  "expiration": "30d"
}
resp = client.security.bulk_update_api_keys(
    ids=[
        "VuaCfGcBCdbkQm-e5aOx",
        "H3_AhoIBA9hmeQJdg7ij"
    ],
    role_descriptors={
        "role-a": {
            "indices": [
                {
                    "names": [
                        "*"
                    ],
                    "privileges": [
                        "write"
                    ]
                }
            ]
        }
    },
    metadata={
        "environment": {
            "level": 2,
            "trusted": True,
            "tags": [
                "production"
            ]
        }
    },
    expiration="30d",
)
const response = await client.security.bulkUpdateApiKeys({
  ids: ["VuaCfGcBCdbkQm-e5aOx", "H3_AhoIBA9hmeQJdg7ij"],
  role_descriptors: {
    "role-a": {
      indices: [
        {
          names: ["*"],
          privileges: ["write"],
        },
      ],
    },
  },
  metadata: {
    environment: {
      level: 2,
      trusted: true,
      tags: ["production"],
    },
  },
  expiration: "30d",
});
response = client.security.bulk_update_api_keys(
  body: {
    "ids": [
      "VuaCfGcBCdbkQm-e5aOx",
      "H3_AhoIBA9hmeQJdg7ij"
    ],
    "role_descriptors": {
      "role-a": {
        "indices": [
          {
            "names": [
              "*"
            ],
            "privileges": [
              "write"
            ]
          }
        ]
      }
    },
    "metadata": {
      "environment": {
        "level": 2,
        "trusted": true,
        "tags": [
          "production"
        ]
      }
    },
    "expiration": "30d"
  }
)
$resp = $client->security()->bulkUpdateApiKeys([
    "body" => [
        "ids" => array(
            "VuaCfGcBCdbkQm-e5aOx",
            "H3_AhoIBA9hmeQJdg7ij",
        ),
        "role_descriptors" => [
            "role-a" => [
                "indices" => array(
                    [
                        "names" => array(
                            "*",
                        ),
                        "privileges" => array(
                            "write",
                        ),
                    ],
                ),
            ],
        ],
        "metadata" => [
            "environment" => [
                "level" => 2,
                "trusted" => true,
                "tags" => array(
                    "production",
                ),
            ],
        ],
        "expiration" => "30d",
    ],
]);
curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"ids":["VuaCfGcBCdbkQm-e5aOx","H3_AhoIBA9hmeQJdg7ij"],"role_descriptors":{"role-a":{"indices":[{"names":["*"],"privileges":["write"]}]}},"metadata":{"environment":{"level":2,"trusted":true,"tags":["production"]}},"expiration":"30d"}' "$ELASTICSEARCH_URL/_security/api_key/_bulk_update"
client.security().bulkUpdateApiKeys(b -> b
    .expiration(e -> e
        .time("30d")
    )
    .ids(List.of("VuaCfGcBCdbkQm-e5aOx","H3_AhoIBA9hmeQJdg7ij"))
    .metadata("environment", JsonData.fromJson("{\"level\":2,\"trusted\":true,\"tags\":[\"production\"]}"))
    .roleDescriptors("role-a", r -> r
        .indices(i -> i
            .names("*")
            .privileges("write")
        )
    )
);
Request examples
Assign new role descriptors and metadata and update the expiration time for two API keys. 
{
  "ids": [
    "VuaCfGcBCdbkQm-e5aOx",
    "H3_AhoIBA9hmeQJdg7ij"
  ],
  "role_descriptors": {
    "role-a": {
      "indices": [
        {
          "names": [
            "*"
          ],
          "privileges": [
            "write"
          ]
        }
      ]
    }
  },
  "metadata": {
    "environment": {
      "level": 2,
      "trusted": true,
      "tags": [
        "production"
      ]
    }
  },
  "expiration": "30d"
}
Remove the previously assigned permissions for two API keys, making them inherit the owner user's full permissions. 
{
  "ids": [
    "VuaCfGcBCdbkQm-e5aOx",
    "H3_AhoIBA9hmeQJdg7ij"
  ],
  "role_descriptors": {}
}
Response examples (200)
A successful response from updating two API keys. 
{
  "updated": [
    "VuaCfGcBCdbkQm-e5aOx",
    "H3_AhoIBA9hmeQJdg7ij"
  ],
  "noops": []
}