application/json

BodyRequired

  • expirationstring

    A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

  • idsstring | array[string] Required

    The API key identifiers.

    One of:
    string-1stringarray-2array[string]
  • metadataobject
    Hide metadata attribute Show metadata attribute object
  • role_descriptorsobject

    The role descriptors to assign to the API keys. An API key's effective permissions are an intersection of its assigned privileges and the point-in-time snapshot of permissions of the owner user. You can assign new privileges by specifying them in this parameter. To remove assigned privileges, supply the role_descriptors parameter as an empty object {}. If an API key has no assigned privileges, it inherits the owner user's full permissions. The snapshot of the owner's permissions is always updated, whether you supply the role_descriptors parameter. The structure of a role descriptor is the same as the request for the create API keys API.

    Hide role_descriptors attribute Show role_descriptors attribute object
    • *object Additional properties
      Hide * attributes Show * attributes object
      • clusterarray[string]

        A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.

      • indicesarray[object]

        A list of indices permissions entries.

        Hide indices attributes Show indices attributes object
        • field_securityobject
          Hide field_security attributes Show field_security attributes object
          • exceptstring | array[string]
          • grantstring | array[string]
        • namesarray[string] Required

          A list of indices (or index name patterns) to which the permissions in this entry apply.

        • privilegesarray[string] Required

          The index level privileges that owners of the role have on the specified indices.

        • querystring | object

          While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.

          Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.

          One of:
          IndicesPrivilegesQuerystringQueryContainerobjectRoleTemplateQueryobject

          An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

          External documentation
        • allow_restricted_indicesboolean

          Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

      • remote_indicesarray[object]

        A list of indices permissions for remote clusters.

        Hide remote_indices attributes Show remote_indices attributes object
        • clustersstring | array[string] Required
        • field_securityobject
          Hide field_security attributes Show field_security attributes object
          • exceptstring | array[string]
          • grantstring | array[string]
        • namesarray[string] Required

          A list of indices (or index name patterns) to which the permissions in this entry apply.

        • privilegesarray[string] Required

          The index level privileges that owners of the role have on the specified indices.

        • querystring | object

          While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.

          Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.

          One of:
          IndicesPrivilegesQuerystringQueryContainerobjectRoleTemplateQueryobject

          An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

          External documentation
        • allow_restricted_indicesboolean

          Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.

      • remote_clusterarray[object]

        A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.

        Hide remote_cluster attributes Show remote_cluster attributes object
        • clustersstring | array[string] Required
        • privilegesarray[string] Required

          The cluster level privileges that owners of the role have on the remote cluster.

          Values are monitor_enrich or monitor_stats.

      • globalarray[object] | object

        An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.

        One of:
        array-1array[object]GlobalPrivilegeobject
        Hide attribute Show attribute object
        • applicationobject Required
          Hide application attribute Show application attribute object
      • applicationsarray[object]

        A list of application privilege entries

        Hide applications attributes Show applications attributes object
        • applicationstring Required

          The name of the application to which this entry applies.

        • privilegesarray[string] Required

          A list of strings, where each element is the name of an application privilege or action.

        • resourcesarray[string] Required

          A list resources to which the privileges are applied.

      • metadataobject
        Hide metadata attribute Show metadata attribute object
      • run_asarray[string]

        A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.

      • descriptionstring

        Optional description of the role descriptor

      • restrictionobject
        Hide restriction attribute Show restriction attribute object
        • workflowsarray[string] Required

          A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.

      • transient_metadataobject
        Hide transient_metadata attribute Show transient_metadata attribute object

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • errorsobject
      Hide errors attributes Show errors attributes object
      • countnumber Required

        The number of errors

      • detailsobject Required

        Details about the errors, keyed by role name

        Hide details attribute Show details attribute object
        • *object
          Hide * attributes Show * attributes object
          • typestring Required

            The type of error

          • reasonstring

            A human-readable explanation of the error, in English.

          • stack_tracestring

            The server stack trace. Present only if the error_trace=true parameter was sent with the request.

          • caused_byobject
          • root_causearray[object]
          • suppressedarray[object]
    • noopsarray[string] Required
    • updatedarray[string] Required
POST /_security/api_key/_bulk_update
curl \
 --request POST 'http://api.example.com/_security/api_key/_bulk_update' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"ids\": [\n    \"VuaCfGcBCdbkQm-e5aOx\",\n    \"H3_AhoIBA9hmeQJdg7ij\"\n  ],\n  \"role_descriptors\": {\n    \"role-a\": {\n      \"indices\": [\n        {\n          \"names\": [\n            \"*\"\n          ],\n          \"privileges\": [\n            \"write\"\n          ]\n        }\n      ]\n    }\n  },\n  \"metadata\": {\n    \"environment\": {\n      \"level\": 2,\n      \"trusted\": true,\n      \"tags\": [\n        \"production\"\n      ]\n    }\n  },\n  \"expiration\": \"30d\"\n}"'
Request examples
Assign new role descriptors and metadata and update the expiration time for two API keys.
{
  "ids": [
    "VuaCfGcBCdbkQm-e5aOx",
    "H3_AhoIBA9hmeQJdg7ij"
  ],
  "role_descriptors": {
    "role-a": {
      "indices": [
        {
          "names": [
            "*"
          ],
          "privileges": [
            "write"
          ]
        }
      ]
    }
  },
  "metadata": {
    "environment": {
      "level": 2,
      "trusted": true,
      "tags": [
        "production"
      ]
    }
  },
  "expiration": "30d"
}
Remove the previously assigned permissions for two API keys, making them inherit the owner user's full permissions.
{
  "ids": [
    "VuaCfGcBCdbkQm-e5aOx",
    "H3_AhoIBA9hmeQJdg7ij"
  ],
  "role_descriptors": {}
}
Response examples (200)
A successful response from updating two API keys.
{
  "updated": [
    "VuaCfGcBCdbkQm-e5aOx",
    "H3_AhoIBA9hmeQJdg7ij"
  ],
  "noops": []
}