Bird
Raised Fist0
Elasticsearchquery~20 mins

API key management in Elasticsearch - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
API Key Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
2:00remaining
What is the output of this API key creation response?
You run this Elasticsearch API call to create an API key. What is the output?
Elasticsearch
POST /_security/api_key
{
  "name": "my-api-key",
  "role_descriptors": {
    "my-role": {
      "cluster": ["all"],
      "index": [
        {
          "names": ["my-index"],
          "privileges": ["read"]
        }
      ]
    }
  }
}
A{"name":"my-api-key","api_key":"ZXhhbXBsZWFwaWtleQ=="}
B{"id":"abc123","name":"my-api-key"}
C{"error":"missing api_key field"}
D{"id":"abc123","name":"my-api-key","api_key":"ZXhhbXBsZWFwaWtleQ=="}
Attempts:
2 left
💡 Hint
The API key creation response includes the key ID, name, and the encoded key string.
Predict Output
intermediate
2:00remaining
What error does this API key deletion request produce?
You try to delete an API key with this request but get an error. What is the error?
Elasticsearch
DELETE /_security/api_key
{
  "id": "nonexistent-id"
}
A{"found":false}
B{"deleted":false}
C{"status":404,"error":"Not Found"}
D{"error":"api key not found"}
Attempts:
2 left
💡 Hint
Elasticsearch returns a simple found flag for deletion attempts.
🧠 Conceptual
advanced
2:00remaining
Which option correctly describes API key privileges in Elasticsearch?
Choose the correct statement about API key privileges in Elasticsearch.
AAPI keys can have both cluster and index privileges defined in role descriptors.
BAPI keys can only have cluster-wide privileges, not index privileges.
CAPI keys automatically inherit all privileges of the user who created them.
DAPI keys cannot be restricted and always have full access.
Attempts:
2 left
💡 Hint
Think about how roles define access in Elasticsearch.
Predict Output
advanced
2:00remaining
What is the output of this API key authentication attempt?
You use this API key in the Authorization header to authenticate. What is the expected response?
Elasticsearch
GET /_security/_authenticate
Headers: {"Authorization": "ApiKey ZXhhbXBsZWFwaWtleQ=="}
A{"error":"invalid api key"}
B{"username":"elastic","roles":["superuser"],"api_key":{"id":"abc123","name":"my-api-key"}}
C{"username":"elastic","roles":[],"api_key":null}
D{"status":401,"error":"Unauthorized"}
Attempts:
2 left
💡 Hint
Successful API key authentication returns user info and key details.
Predict Output
expert
2:00remaining
How many API keys are returned by this query?
You run this request to list API keys created by user 'alice'. How many keys are returned?
Elasticsearch
GET /_security/api_key?owner=true
AThe response is empty because 'owner' is not a valid parameter.
BThe response contains all API keys in the cluster regardless of owner, count is total keys.
CThe response contains only API keys created by the authenticated user, count depends on keys owned.
DThe response contains only API keys created by other users, excluding the authenticated user.
Attempts:
2 left
💡 Hint
The 'owner' parameter filters keys by the authenticated user.

Practice

(1/5)
1. What is the primary purpose of an API key in Elasticsearch?
easy
A. To monitor Elasticsearch cluster health
B. To store data inside Elasticsearch indices
C. To allow applications to securely access Elasticsearch with specific permissions
D. To backup Elasticsearch data automatically

Solution

  1. Step 1: Understand API key role

    API keys are secret tokens used to authenticate and authorize applications.

  2. Step 2: Identify purpose in Elasticsearch

    They grant controlled access to Elasticsearch resources based on assigned roles.

  3. Final Answer:

    To allow applications to securely access Elasticsearch with specific permissions -> Option C

  4. Quick Check:

    API key = secure app access [OK]
Hint: API keys control app access permissions [OK]
Common Mistakes:
  • Confusing API keys with data storage
  • Thinking API keys monitor cluster health
  • Assuming API keys handle backups
2. Which of the following is the correct Elasticsearch API call to create an API key?
easy
A. DELETE /_security/api_key
B. GET /_security/api_key/create
C. PUT /_security/api_key
D. POST /_security/api_key

Solution

  1. Step 1: Recall API key creation syntax

    Elasticsearch uses POST method to create resources like API keys.

  2. Step 2: Match correct endpoint

    The correct endpoint for creating an API key is POST /_security/api_key.

  3. Final Answer:

    POST /_security/api_key -> Option D

  4. Quick Check:

    POST + /_security/api_key = create key [OK]
Hint: Use POST to create API keys in Elasticsearch [OK]
Common Mistakes:
  • Using GET or DELETE for creation
  • Confusing endpoint paths
  • Using PUT instead of POST
3. Given this API key creation request body, what will be the name of the created API key? 
{
  "name": "my-app-key",
  "role_descriptors": {
    "my-role": {
      "cluster": ["all"],
      "index": [{"names": ["logs-*"], "privileges": ["read"]}]
    }
  }
}
medium
A. my-app-key
B. my-role
C. logs-*
D. all

Solution

  1. Step 1: Identify the API key name field

    The "name" field in the request body sets the API key's name.

  2. Step 2: Read the value of the "name" field

    The value is "my-app-key", which becomes the API key's name.

  3. Final Answer:

    my-app-key -> Option A

  4. Quick Check:

    API key name = "name" field value [OK]
Hint: API key name is in the "name" field [OK]
Common Mistakes:
  • Confusing role name with API key name
  • Using index pattern as key name
  • Mistaking privileges for name
4. You try to delete an API key using this request: DELETE /_security/api_key?id=12345 but get an error. What is the likely cause?
medium
A. API key names cannot be deleted, only IDs
B. API key ID must be passed in the request body, not as a query parameter
C. DELETE method is not supported for API keys
D. You must use GET method to delete API keys

Solution

  1. Step 1: Check API key deletion syntax

    Elasticsearch requires the API key ID in the request body JSON, not as a URL query parameter.

  2. Step 2: Understand method support

    DELETE method is supported, but parameters must be correctly passed in the body.

  3. Final Answer:

    API key ID must be passed in the request body, not as a query parameter -> Option B

  4. Quick Check:

    Delete API key ID in body, not URL [OK]
Hint: Pass API key ID in JSON body for deletion [OK]
Common Mistakes:
  • Passing ID as URL query parameter
  • Using wrong HTTP method
  • Confusing API key name with ID
5. You want to create an API key that only allows reading from indices starting with "sales-" and no cluster privileges. Which role descriptor is correct in the request body?
hard
A. { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } }
B. { "role_descriptors": { "read_sales": { "cluster": ["all"], "index": [{ "names": ["sales-*"], "privileges": ["write"] }] } } }
C. { "role_descriptors": { "read_sales": { "cluster": ["monitor"], "index": [{ "names": ["sales-*"], "privileges": ["all"] }] } } }
D. { "role_descriptors": { "read_sales": { "cluster": ["all"], "index": [{ "names": ["*"], "privileges": ["read"] }] } } }

Solution

  1. Step 1: Identify required privileges

    The API key should have no cluster privileges and only read privileges on indices starting with "sales-".

  2. Step 2: Match role descriptor to requirements

    { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } } has empty cluster privileges and read privilege on "sales-*" indices, matching the requirement.

  3. Final Answer:

    { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } } -> Option A

  4. Quick Check:

    No cluster + read sales-* = { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } } [OK]
Hint: Empty cluster array means no cluster privileges [OK]
Common Mistakes:
  • Giving cluster all privileges by mistake
  • Using write or all privileges instead of read
  • Applying privileges to wrong index patterns