docs: Update standalone apm server API key required privileges

[carsonip]

The documentation around required APM server API keys privileges is outdated. https://www.elastic.co/guide/en/apm/guide/current/feature-roles.html

The privileges that the fleet-server has are listed directly in ES https://github.com/elastic/elasticsearch/blob/main/x-pack/docs/en/rest-api/security/get-service-accounts.asciidoc?plain=1#L64C28-L85. These privileges need to contain all the privileges that apm needs, as it is the basis for creating API Keys when using the Elastic Agent and Fleet are created from them.

[simitt]

@bmorelli25 could you take a look at this please, we had some users running into issues on upgrade as we haven't updated the required security privileges.

[bmorelli25]

Taking a look at this now, and I'm slightly confused. The page you link to in the docs is for standalone APM Server, but those privileges are for Fleet. Also, what role are changes required for? All of them?

[bmorelli25]

Okay so...

ES docs indicate the following cluster level privileges for Fleet Server:

  "cluster":[
    "manage_own_api_key",
    "monitor"
  ],

ES docs indicate privileges are required on the following indices:

  "indices":[
    {
      "names":[
        "logs-*",
        "metrics-*",
        "traces-*",
        ".logs-endpoint.diagnostic.collection-*",
        ".logs-endpoint.action.responses-*"
      ],

ES docs indicate that the following index-level privileges are needed:

          "privileges": [
            "write",
            "create_index",
            "auto_configure"
          ],

These privileges need to contain all the privileges that apm needs, as it is the basis for creating API Keys when using the Elastic Agent and Fleet are created from them.

So our API key creation needs to include all of the above, plus the following application-level privileges:

  "applications":[
    {
      "application":"apm",
      "privileges":[
        "event:write"
      ],
      "resources":[
        "*"
      ]
    }
  ]

Which results in this. Does this sound right?

{
  "cluster":[
    "manage_own_api_key",
    "monitor"
  ],
  "indices":[
    {
      "names":[
        "logs-*",
        "metrics-*",
        "traces-*",
        ".logs-endpoint.diagnostic.collection-*",
        ".logs-endpoint.action.responses-*"
      ],
      "privileges":[
        "write",
        "create_index",
        "auto_configure"
      ],
      "allow_restricted_indices":false
    }
  ],
  "applications":[
    {
      "application":"apm",
      "privileges":[
        "event:write"
      ],
      "resources":[
        "*"
      ]
    }
  ]
}

[simitt]

@bmorelli25 I don't think that the apm-server standalone needs all of these privileges; will try to dig into this in the next couple of days.

[simitt]

@bmorelli25 apologies for coming back to this that late; the applications privileges should only be needed for elastic apm agents communicating with the apm-server, but not for ApiKeys used by the apm-server to communicate to ES. I also don't think that the server needs cluster privileges (but haven't tested this out).
IMO this should be enough:

  "indices":[
    {
      "names":[
        "logs-*",
        "metrics-*",
        "traces-*"
      ],
      "privileges":[
        "write",
        "create_index",
        "auto_configure"
      ]
    }
  ]

[carsonip]

Files need to be updated:

• docs/access-api-keys.asciidoc
• docs/feature-roles.asciidoc

[carsonip]

Assigning @endorama as there is ongoing work in elastic/observability-docs#3980