Update a cross-cluster API key Generally available

PUT /_security/cross_cluster/api_key/{id}
Api key auth Basic auth Bearer auth

Update the attributes of an existing cross-cluster API key, which is used for API key based remote cluster access.

To use this API, you must have at least the manage_security cluster privilege. Users can only update API keys that they created. To update another user's API key, use the run_as feature to submit a request on behalf of another user.

IMPORTANT: It's not possible to use an API key as the authentication credential for this API. To update an API key, the owner user's credentials are required.

It's not possible to update expired API keys, or API keys that have been invalidated by the invalidate API key API.

This API supports updates to an API key's access scope, metadata, and expiration. The owner user's information, such as the username and realm, is also updated automatically on every call.

NOTE: This API cannot update REST API keys, which should be updated by either the update API key or bulk update API keys API.

To learn more about how to use this API, refer to the Update cross cluter API key API examples page.

Required authorization

  • Cluster privileges: manage_security
External documentation

Path parameters

  • id string Required

    The ID of the cross-cluster API key to update.

application/json

Body Required

  • access object Required

    The access to be granted to this API key. The access is composed of permissions for cross cluster search and cross cluster replication. At least one of them must be specified. When specified, the new access assignment fully replaces the previously assigned access.

    Hide access attributes Show access attributes object
    • replication array[object]

      A list of indices permission entries for cross-cluster replication.

      Hide replication attributes Show replication attributes object

      • names string | array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

        One of:
        IndexName string array-2 array[string]
      • allow_restricted_indices boolean

        This needs to be set to true if the patterns in the names field should cover system indices.

        Default value is false.

    • search array[object]

      A list of indices permission entries for cross-cluster search.

      Hide search attributes Show search attributes object
      • field_security object

        The document fields that the owners of the role have read access to.

      • names string | array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

        One of:
        IndexName string array-2 array[string]

      • query string | object

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        One of:
        string-1 string QueryContainer object RoleTemplateQuery object

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

        A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.

      • allow_restricted_indices boolean Generally available

        Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

        Default value is false.

  • expiration string

    The expiration time for the API key. By default, API keys never expire. This property can be omitted to leave the value unchanged.

  • metadata object

    Arbitrary metadata that you want to associate with the API key. It supports nested data structure. Within the metadata object, keys beginning with _ are reserved for system usage. When specified, this information fully replaces metadata previously associated with the API key.

    Hide metadata attribute Show metadata attribute object
    • * object Additional properties

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • updated boolean Required

      If true, the API key was updated. If false, the API key didn’t change because no change was detected.
PUT /_security/cross_cluster/api_key/{id} 
PUT /_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx
{
  "access": {
    "replication": [
      {
        "names": ["archive"]
      }
    ]
  },
  "metadata": {
    "application": "replication"
  }
}
resp = client.security.update_cross_cluster_api_key(
    id="VuaCfGcBCdbkQm-e5aOx",
    access={
        "replication": [
            {
                "names": [
                    "archive"
                ]
            }
        ]
    },
    metadata={
        "application": "replication"
    },
)
const response = await client.security.updateCrossClusterApiKey({
  id: "VuaCfGcBCdbkQm-e5aOx",
  access: {
    replication: [
      {
        names: ["archive"],
      },
    ],
  },
  metadata: {
    application: "replication",
  },
});
response = client.security.update_cross_cluster_api_key(
  id: "VuaCfGcBCdbkQm-e5aOx",
  body: {
    "access": {
      "replication": [
        {
          "names": [
            "archive"
          ]
        }
      ]
    },
    "metadata": {
      "application": "replication"
    }
  }
)
$resp = $client->security()->updateCrossClusterApiKey([
    "id" => "VuaCfGcBCdbkQm-e5aOx",
    "body" => [
        "access" => [
            "replication" => array(
                [
                    "names" => array(
                        "archive",
                    ),
                ],
            ),
        ],
        "metadata" => [
            "application" => "replication",
        ],
    ],
]);
curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"access":{"replication":[{"names":["archive"]}]},"metadata":{"application":"replication"}}' "$ELASTICSEARCH_URL/_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx"
client.security().updateCrossClusterApiKey(u -> u
    .access(a -> a
        .replication(r -> r
            .names("archive")
        )
    )
    .id("VuaCfGcBCdbkQm-e5aOx")
    .metadata("application", JsonData.fromJson("\"replication\""))
);
Request example
Run `PUT /_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx` to update a cross-cluster API key, assigning it new access scope and metadata. 
{
  "access": {
    "replication": [
      {
        "names": ["archive"]
      }
    ]
  },
  "metadata": {
    "application": "replication"
  }
}
Response examples (200)
A successful response from `PUT /_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx` that indicates that the API key was updated. 
{
  "updated": true
}