Create a cross-cluster API key Generally available

POST /_security/cross_cluster/api_key
Api key auth Basic auth Bearer auth

Create an API key of the cross_cluster type for the API key based remote cluster access. A cross_cluster API key cannot be used to authenticate through the REST interface.

IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.

Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.

NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the access property.

A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

By default, API keys never expire. You can specify expiration information when you create the API keys.

Cross-cluster API keys can only be updated with the update cross-cluster API key API. Attempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.

Required authorization

  • Cluster privileges: manage_security
External documentation
application/json

Body Required

  • access object Required

    The access to be granted to this API key. The access is composed of permissions for cross-cluster search and cross-cluster replication. At least one of them must be specified.

    NOTE: No explicit privileges should be specified for either search or replication access. The creation process automatically converts the access specification to a role descriptor which has relevant privileges assigned accordingly.

    Hide access attributes Show access attributes object
    • replication array[object]

      A list of indices permission entries for cross-cluster replication.

      Hide replication attributes Show replication attributes object

      • names string | array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

        One of:
        IndexName string array-2 array[string]
      • allow_restricted_indices boolean

        This needs to be set to true if the patterns in the names field should cover system indices.

        Default value is false.

    • search array[object]

      A list of indices permission entries for cross-cluster search.

      Hide search attributes Show search attributes object
      • field_security object

        The document fields that the owners of the role have read access to.

      • names string | array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

        One of:
        IndexName string array-2 array[string]

      • query string | object

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        One of:
        string-1 string QueryContainer object RoleTemplateQuery object

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

      • allow_restricted_indices boolean Generally available

        Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

        Default value is false.

  • expiration string

    Expiration time for the API key. By default, API keys never expire.

  • metadata object

    Arbitrary metadata that you want to associate with the API key. It supports nested data structure. Within the metadata object, keys beginning with _ are reserved for system usage.

    Hide metadata attribute Show metadata attribute object
    • * object Additional properties
  • name string Required

    Specifies the name for this API key.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • api_key string Required

      Generated API key.

    • expiration number

      Time unit for milliseconds

    • id string Required

      Unique ID for this API key.

    • name string Required

      Specifies the name for this API key.

    • encoded string Required

      API key credentials which is the base64-encoding of the UTF-8 representation of id and api_key joined by a colon (:).
POST /_security/cross_cluster/api_key 
POST /_security/cross_cluster/api_key
{
  "name": "my-cross-cluster-api-key",
  "expiration": "1d",   
  "access": {
    "search": [  
      {
        "names": ["logs*"]
      }
    ],
    "replication": [  
      {
        "names": ["archive*"]
      }
    ]
  },
  "metadata": {
    "description": "phase one",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}
resp = client.security.create_cross_cluster_api_key(
    name="my-cross-cluster-api-key",
    expiration="1d",
    access={
        "search": [
            {
                "names": [
                    "logs*"
                ]
            }
        ],
        "replication": [
            {
                "names": [
                    "archive*"
                ]
            }
        ]
    },
    metadata={
        "description": "phase one",
        "environment": {
            "level": 1,
            "trusted": True,
            "tags": [
                "dev",
                "staging"
            ]
        }
    },
)
const response = await client.security.createCrossClusterApiKey({
  name: "my-cross-cluster-api-key",
  expiration: "1d",
  access: {
    search: [
      {
        names: ["logs*"],
      },
    ],
    replication: [
      {
        names: ["archive*"],
      },
    ],
  },
  metadata: {
    description: "phase one",
    environment: {
      level: 1,
      trusted: true,
      tags: ["dev", "staging"],
    },
  },
});
response = client.security.create_cross_cluster_api_key(
  body: {
    "name": "my-cross-cluster-api-key",
    "expiration": "1d",
    "access": {
      "search": [
        {
          "names": [
            "logs*"
          ]
        }
      ],
      "replication": [
        {
          "names": [
            "archive*"
          ]
        }
      ]
    },
    "metadata": {
      "description": "phase one",
      "environment": {
        "level": 1,
        "trusted": true,
        "tags": [
          "dev",
          "staging"
        ]
      }
    }
  }
)
$resp = $client->security()->createCrossClusterApiKey([
    "body" => [
        "name" => "my-cross-cluster-api-key",
        "expiration" => "1d",
        "access" => [
            "search" => array(
                [
                    "names" => array(
                        "logs*",
                    ),
                ],
            ),
            "replication" => array(
                [
                    "names" => array(
                        "archive*",
                    ),
                ],
            ),
        ],
        "metadata" => [
            "description" => "phase one",
            "environment" => [
                "level" => 1,
                "trusted" => true,
                "tags" => array(
                    "dev",
                    "staging",
                ),
            ],
        ],
    ],
]);
curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"name":"my-cross-cluster-api-key","expiration":"1d","access":{"search":[{"names":["logs*"]}],"replication":[{"names":["archive*"]}]},"metadata":{"description":"phase one","environment":{"level":1,"trusted":true,"tags":["dev","staging"]}}}' "$ELASTICSEARCH_URL/_security/cross_cluster/api_key"
client.security().createCrossClusterApiKey(c -> c
    .access(a -> a
        .replication(r -> r
            .names("archive*")
        )
        .search(s -> s
            .names("logs*")
        )
    )
    .expiration(e -> e
        .time("1d")
    )
    .metadata(Map.of("environment", JsonData.fromJson("{\"level\":1,\"trusted\":true,\"tags\":[\"dev\",\"staging\"]}"),"description", JsonData.fromJson("\"phase one\"")))
    .name("my-cross-cluster-api-key")
);
Request example
Run `POST /_security/cross_cluster/api_key` to create a cross-cluster API key. 
{
  "name": "my-cross-cluster-api-key",
  "expiration": "1d",   
  "access": {
    "search": [  
      {
        "names": ["logs*"]
      }
    ],
    "replication": [  
      {
        "names": ["archive*"]
      }
    ]
  },
  "metadata": {
    "description": "phase one",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}
Response examples (200)
A successful response from `POST /_security/service/elastic/fleet-server/credential/token`. 
{
  "created": true,
  "token": {
    "name": "Jk5J1HgBuyBK5TpDrdo4",
    "value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ"
  }
}