Bird
Raised Fist0
Elasticsearchquery~5 mins

API key management in Elasticsearch - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is an API key in Elasticsearch?
An API key in Elasticsearch is a unique token that allows secure access to the Elasticsearch cluster without using a username and password. It acts like a special password for applications.
Click to reveal answer
beginner
How do you create an API key in Elasticsearch?
You create an API key by sending a POST request to the _security/api_key endpoint with details like the name and permissions. Elasticsearch returns the key ID and the API key string.
Click to reveal answer
intermediate
What is the purpose of API key expiration in Elasticsearch?
API key expiration sets a time limit on how long the key is valid. This helps improve security by automatically disabling keys after a set period, reducing risk if a key is lost or stolen.
Click to reveal answer
intermediate
How can you invalidate an API key in Elasticsearch?
You invalidate an API key by sending a DELETE request to the _security/api_key endpoint with the key ID or name. This immediately revokes the key's access.
Click to reveal answer
beginner
Why is it better to use API keys instead of user passwords for applications?
API keys are better because they can be limited in scope and time, making them safer. They avoid exposing user passwords and can be easily revoked without affecting user accounts.
Click to reveal answer
Which Elasticsearch endpoint is used to create an API key?
AGET /_security/api_key
BPOST /_security/api_key
CDELETE /_security/api_key
DPUT /_security/api_key
What information do you receive after creating an API key?
AOnly the API key string
BUsername and password
COnly the key ID
DKey ID and API key string
How do you revoke an API key in Elasticsearch?
ASend a DELETE request to /_security/api_key with the key ID
BSend a POST request to /_security/api_key
CSend a GET request to /_security/api_key
DSend a PUT request to /_security/api_key
Why should API keys have expiration times?
ATo limit how long they can be used for better security
BTo make them harder to create
CTo increase their length
DTo allow unlimited access
Which of these is NOT a benefit of using API keys?
AThey can be scoped to specific permissions
BThey can be revoked without affecting user accounts
CThey expose user passwords
DThey can have expiration times
Explain how to create, use, and revoke an API key in Elasticsearch.
Think about the REST endpoints and the lifecycle of an API key.
You got /4 concepts.
    Describe why API key expiration and revocation are important for security.
    Consider what happens if a key is lost or stolen.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of an API key in Elasticsearch?
      easy
      A. To monitor Elasticsearch cluster health
      B. To store data inside Elasticsearch indices
      C. To allow applications to securely access Elasticsearch with specific permissions
      D. To backup Elasticsearch data automatically

      Solution

      1. Step 1: Understand API key role

        API keys are secret tokens used to authenticate and authorize applications.

      2. Step 2: Identify purpose in Elasticsearch

        They grant controlled access to Elasticsearch resources based on assigned roles.

      3. Final Answer:

        To allow applications to securely access Elasticsearch with specific permissions -> Option C

      4. Quick Check:

        API key = secure app access [OK]
      Hint: API keys control app access permissions [OK]
      Common Mistakes:
      • Confusing API keys with data storage
      • Thinking API keys monitor cluster health
      • Assuming API keys handle backups
      2. Which of the following is the correct Elasticsearch API call to create an API key?
      easy
      A. DELETE /_security/api_key
      B. GET /_security/api_key/create
      C. PUT /_security/api_key
      D. POST /_security/api_key

      Solution

      1. Step 1: Recall API key creation syntax

        Elasticsearch uses POST method to create resources like API keys.

      2. Step 2: Match correct endpoint

        The correct endpoint for creating an API key is POST /_security/api_key.

      3. Final Answer:

        POST /_security/api_key -> Option D

      4. Quick Check:

        POST + /_security/api_key = create key [OK]
      Hint: Use POST to create API keys in Elasticsearch [OK]
      Common Mistakes:
      • Using GET or DELETE for creation
      • Confusing endpoint paths
      • Using PUT instead of POST
      3. Given this API key creation request body, what will be the name of the created API key? 
      {
  "name": "my-app-key",
  "role_descriptors": {
    "my-role": {
      "cluster": ["all"],
      "index": [{"names": ["logs-*"], "privileges": ["read"]}]
    }
  }
}
      medium
      A. my-app-key
      B. my-role
      C. logs-*
      D. all

      Solution

      1. Step 1: Identify the API key name field

        The "name" field in the request body sets the API key's name.

      2. Step 2: Read the value of the "name" field

        The value is "my-app-key", which becomes the API key's name.

      3. Final Answer:

        my-app-key -> Option A

      4. Quick Check:

        API key name = "name" field value [OK]
      Hint: API key name is in the "name" field [OK]
      Common Mistakes:
      • Confusing role name with API key name
      • Using index pattern as key name
      • Mistaking privileges for name
      4. You try to delete an API key using this request: DELETE /_security/api_key?id=12345 but get an error. What is the likely cause?
      medium
      A. API key names cannot be deleted, only IDs
      B. API key ID must be passed in the request body, not as a query parameter
      C. DELETE method is not supported for API keys
      D. You must use GET method to delete API keys

      Solution

      1. Step 1: Check API key deletion syntax

        Elasticsearch requires the API key ID in the request body JSON, not as a URL query parameter.

      2. Step 2: Understand method support

        DELETE method is supported, but parameters must be correctly passed in the body.

      3. Final Answer:

        API key ID must be passed in the request body, not as a query parameter -> Option B

      4. Quick Check:

        Delete API key ID in body, not URL [OK]
      Hint: Pass API key ID in JSON body for deletion [OK]
      Common Mistakes:
      • Passing ID as URL query parameter
      • Using wrong HTTP method
      • Confusing API key name with ID
      5. You want to create an API key that only allows reading from indices starting with "sales-" and no cluster privileges. Which role descriptor is correct in the request body?
      hard
      A. { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } }
      B. { "role_descriptors": { "read_sales": { "cluster": ["all"], "index": [{ "names": ["sales-*"], "privileges": ["write"] }] } } }
      C. { "role_descriptors": { "read_sales": { "cluster": ["monitor"], "index": [{ "names": ["sales-*"], "privileges": ["all"] }] } } }
      D. { "role_descriptors": { "read_sales": { "cluster": ["all"], "index": [{ "names": ["*"], "privileges": ["read"] }] } } }

      Solution

      1. Step 1: Identify required privileges

        The API key should have no cluster privileges and only read privileges on indices starting with "sales-".

      2. Step 2: Match role descriptor to requirements

        { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } } has empty cluster privileges and read privilege on "sales-*" indices, matching the requirement.

      3. Final Answer:

        { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } } -> Option A

      4. Quick Check:

        No cluster + read sales-* = { "role_descriptors": { "read_sales": { "cluster": [], "index": [{ "names": ["sales-*"], "privileges": ["read"] }] } } } [OK]
      Hint: Empty cluster array means no cluster privileges [OK]
      Common Mistakes:
      • Giving cluster all privileges by mistake
      • Using write or all privileges instead of read
      • Applying privileges to wrong index patterns