Update a cross-cluster API key Generally available

PUT /_security/cross_cluster/api_key/{id}
Api key auth Basic auth Bearer auth

Update the attributes of an existing cross-cluster API key, which is used for API key based remote cluster access.

To use this API, you must have at least the manage_security cluster privilege. Users can only update API keys that they created. To update another user's API key, use the run_as feature to submit a request on behalf of another user.

IMPORTANT: It's not possible to use an API key as the authentication credential for this API. To update an API key, the owner user's credentials are required.

It's not possible to update expired API keys, or API keys that have been invalidated by the invalidate API key API.

This API supports updates to an API key's access scope, metadata, and expiration. The owner user's information, such as the username and realm, is also updated automatically on every call.

NOTE: This API cannot update REST API keys, which should be updated by either the update API key or bulk update API keys API.

To learn more about how to use this API, refer to the Update cross cluter API key API examples page.

Required authorization

  • Cluster privileges: manage_security
External documentation

Path parameters

  • id string Required

    The ID of the cross-cluster API key to update.

application/json

Body Required

  • access object Required
    Hide access attributes Show access attributes object
    • replication array[object]

      A list of indices permission entries for cross-cluster replication.

      Hide replication attributes Show replication attributes object

      • names string | array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

        One of:
        IndexName string array-2 array[string]
      • allow_restricted_indices boolean

        This needs to be set to true if the patterns in the names field should cover system indices.

        Default value is false.

    • search array[object]

      A list of indices permission entries for cross-cluster search.

      Hide search attributes Show search attributes object
      • field_security object
        Hide field_security attributes Show field_security attributes object
        • except string | array[string]
        • grant string | array[string]

      • names string | array[string] Required

        A list of indices (or index name patterns) to which the permissions in this entry apply.

        One of:
        IndexName string array-2 array[string]

      • query string | object

        While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.

        Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.

        One of:
        string-1 string QueryContainer object RoleTemplateQuery object

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        External documentation
      • allow_restricted_indices boolean Generally available

        Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

        Default value is false.

  • expiration string

    A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

  • metadata object
    Hide metadata attribute Show metadata attribute object
    • * object Additional properties

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • updated boolean Required

      If true, the API key was updated. If false, the API key didn’t change because no change was detected.
PUT /_security/cross_cluster/api_key/{id} 
PUT /_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx
{
  "access": {
    "replication": [
      {
        "names": ["archive"]
      }
    ]
  },
  "metadata": {
    "application": "replication"
  }
}
resp = client.security.update_cross_cluster_api_key(
    id="VuaCfGcBCdbkQm-e5aOx",
    access={
        "replication": [
            {
                "names": [
                    "archive"
                ]
            }
        ]
    },
    metadata={
        "application": "replication"
    },
)
const response = await client.security.updateCrossClusterApiKey({
  id: "VuaCfGcBCdbkQm-e5aOx",
  access: {
    replication: [
      {
        names: ["archive"],
      },
    ],
  },
  metadata: {
    application: "replication",
  },
});
response = client.security.update_cross_cluster_api_key(
  id: "VuaCfGcBCdbkQm-e5aOx",
  body: {
    "access": {
      "replication": [
        {
          "names": [
            "archive"
          ]
        }
      ]
    },
    "metadata": {
      "application": "replication"
    }
  }
)
$resp = $client->security()->updateCrossClusterApiKey([
    "id" => "VuaCfGcBCdbkQm-e5aOx",
    "body" => [
        "access" => [
            "replication" => array(
                [
                    "names" => array(
                        "archive",
                    ),
                ],
            ),
        ],
        "metadata" => [
            "application" => "replication",
        ],
    ],
]);
curl -X PUT -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"access":{"replication":[{"names":["archive"]}]},"metadata":{"application":"replication"}}' "$ELASTICSEARCH_URL/_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx"
client.security().updateCrossClusterApiKey(u -> u
    .access(a -> a
        .replication(r -> r
            .names("archive")
        )
    )
    .id("VuaCfGcBCdbkQm-e5aOx")
    .metadata("application", JsonData.fromJson("\"replication\""))
);
Request example
Run `PUT /_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx` to update a cross-cluster API key, assigning it new access scope and metadata. 
{
  "access": {
    "replication": [
      {
        "names": ["archive"]
      }
    ]
  },
  "metadata": {
    "application": "replication"
  }
}
Response examples (200)
A successful response from `PUT /_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx` that indicates that the API key was updated. 
{
  "updated": true
}