Update attributes of an existing API key.This API supports updates to an API key's access scope, expiration, and metadata.
To use this API, you must have at least themanage_own_api_key cluster privilege.Users can only update API keys that they created or that were granted to them.To update another user’s API key, use therun_as feature to submit a request on behalf of another user.
IMPORTANT: It's not possible to use an API key as the authentication credential for this API. The owner user’s credentials are required.
Use this API to update API keys created by the create API key or grant API Key APIs.If you need to apply the same update to many API keys, you can use the bulk update API keys API to reduce overhead.It's not possible to update expired API keys or API keys that have been invalidated by the invalidate API key API.
The access scope of an API key is derived from therole_descriptors you specify in the request and a snapshot of the owner user's permissions at the time of the request.The snapshot of the owner's permissions is updated automatically on every call.
IMPORTANT: If you don't specifyrole_descriptors in the request, a call to this API might still change the API key's access scope.This change can occur if the owner user's permissions have changed since the API key was created or last modified.
Required authorization
- Cluster privileges:
manage_own_api_key
Body
The role descriptors to assign to this API key.The API key's effective permissions are an intersection of its assigned privileges and the point in time snapshot of permissions of the owner user.You can assign new privileges by specifying them in this parameter.To remove assigned privileges, you can supply an empty
role_descriptorsparameter, that is to say, an empty object{}.If an API key has no assigned privileges, it inherits the owner user's full permissions.The snapshot of the owner's permissions is always updated, whether you supply therole_descriptorsparameter or not.The structure of a role descriptor is the same as the request for the create API keys API.Hide role_descriptors attributeShow role_descriptors attributeobject
Hide * attributesShow * attributesobject
A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
A list of indices permissions entries.
Hide indices attributesShow indices attributesobject
The document fields that the owners of the role have read access to.
External documentation The index level privileges that owners of the role have on the specified indices.
query
string | object A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.
Set to
trueif using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in thenameslist, Elasticsearch checks privileges against these indices regardless of the value set forallow_restricted_indices.Default value is
false.
A list of indices permissions for remote clusters.
The subset of index level privileges that can be defined for remote clusters.
Hide remote_indices attributesShow remote_indices attributesobject
A list of cluster aliases to which the permissions in this entry apply.
The document fields that the owners of the role have read access to.
External documentation The index level privileges that owners of the role have on the specified indices.
query
string | object A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.
Set to
trueif using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in thenameslist, Elasticsearch checks privileges against these indices regardless of the value set forallow_restricted_indices.Default value is
false.
A list of cluster permissions for remote clusters.NOTE: This is limited a subset of the cluster permissions.
The subset of cluster level privileges that can be defined for remote clusters.
Hide remote_cluster attributesShow remote_cluster attributesobject
A list of application privilege entries
Hide applications attributesShow applications attributesobject
Optional meta-data. Within the metadata object, keys that begin with
_are reserved for system usage.A list of users that the API keys can impersonate.NOTE: In Elastic Cloud Serverless, the run-as feature is disabled.For API compatibility, you can still specify an empty
run_asfield, but a non-empty list will be rejected.Optional description of the role descriptor
Restriction for when the role descriptor is allowed to be effective.
Arbitrary metadata that you want to associate with the API key.It supports a nested data structure.Within the metadata object, keys beginning with
_are reserved for system usage.When specified, this value fully replaces the metadata previously associated with the API key.The expiration time for the API key.By default, API keys never expire.This property can be omitted to leave the expiration unchanged.
External documentation
PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx{ "role_descriptors": { "role-a": { "indices": [ { "names": ["*"], "privileges": ["write"] } ] } }, "metadata": { "environment": { "level": 2, "trusted": true, "tags": ["production"] } }}resp = client.security.update_api_key( id="VuaCfGcBCdbkQm-e5aOx", role_descriptors={ "role-a": { "indices": [ { "names": [ "*" ], "privileges": [ "write" ] } ] } }, metadata={ "environment": { "level": 2, "trusted": True, "tags": [ "production" ] } },)const response = await client.security.updateApiKey({ id: "VuaCfGcBCdbkQm-e5aOx", role_descriptors: { "role-a": { indices: [ { names: ["*"], privileges: ["write"], }, ], }, }, metadata: { environment: { level: 2, trusted: true, tags: ["production"], }, },});response = client.security.update_api_key( id: "VuaCfGcBCdbkQm-e5aOx", body: { "role_descriptors": { "role-a": { "indices": [ { "names": [ "*" ], "privileges": [ "write" ] } ] } }, "metadata": { "environment": { "level": 2, "trusted": true, "tags": [ "production" ] } } })$resp = $client->security()->updateApiKey([ "id" => "VuaCfGcBCdbkQm-e5aOx", "body" => [ "role_descriptors" => [ "role-a" => [ "indices" => array( [ "names" => array( "*", ), "privileges" => array( "write", ), ], ), ], ], "metadata" => [ "environment" => [ "level" => 2, "trusted" => true, "tags" => array( "production", ), ], ], ],]);curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"role_descriptors":{"role-a":{"indices":[{"names":["*"],"privileges":["write"]}]}},"metadata":{"environment":{"level":2,"trusted":true,"tags":["production"]}}}' "$ELASTICSEARCH_URL/_security/api_key/VuaCfGcBCdbkQm-e5aOx"client.security().updateApiKey(u -> u .id("VuaCfGcBCdbkQm-e5aOx") .metadata("environment", JsonData.fromJson("{\"level\":2,\"trusted\":true,\"tags\":[\"production\"]}")) .roleDescriptors("role-a", r -> r .indices(i -> i .names("*") .privileges("write") ) ));{ "role_descriptors": { "role-a": { "indices": [ { "names": ["*"], "privileges": ["write"] } ] } }, "metadata": { "environment": { "level": 2, "trusted": true, "tags": ["production"] } }}{ "role_descriptors": {}}{ "updated": true}