[role="xpack"]
[[security-api-grant-api-key]]
=== Grant API key API
++++
Grant API keys
++++
Creates an API key on behalf of another user.
[[security-api-grant-api-key-request]]
==== {api-request-title}
`POST /_security/api_key/grant`
[[security-api-grant-api-key-prereqs]]
==== {api-prereq-title}
* To use this API, you must have the `grant_api_key` or the `manage_api_key` cluster privilege.
[[security-api-grant-api-key-desc]]
==== {api-description-title}
This API is similar to <>, however it creates the
API key for a user that is different than the user that runs the API.
The caller must have authentication credentials for the user on whose behalf
the API key will be created. It is not possible to use this API to create an
API key without that user's credentials.
The supported user authentication credentials types are:
* username and password
* <>
* <>
The user, for whom the authentication credentials is provided,
can optionally <> (impersonate) another user.
In this case, the API key will be created on behalf of the impersonated user.
This API is intended be used by applications that need to create and manage
API keys for end users, but cannot guarantee that those users have permission
to create API keys on their own behalf (see <>).
The API keys are created by the {es} API key service, which is automatically
enabled.
A successful grant API key API call returns a JSON structure that contains the
API key, its unique id, and its name. If applicable, it also returns expiration
information for the API key in milliseconds.
NOTE: By default, API keys never expire. You can specify expiration information
when you create the API keys.
See <> for configuration settings related to API key
service.
[[security-api-grant-api-key-request-body]]
==== {api-request-body-title}
The following parameters can be specified in the body of a POST request:
`access_token`::
(Required*, string)
The user's <>, or JWT. Both <> and
<> JWT token types are supported, and they depend on the underlying JWT realm configuration.
The created API key will have a point in time snapshot of permissions of the user authenticated with this token
(or even more restricted permissions, see the `role_descriptors` parameter).
If you specify the `access_token` grant type, this parameter is required. It is not valid with other grant types.
`api_key`::
(Required, object)
Defines the API key.
`expiration`:::
(Optional, string) Expiration time for the API key. By default, API keys never
expire.
`name`:::
(Required, string) Specifies the name for this API key.
`role_descriptors`:::
(Optional, object) The role descriptors for this API
key. This parameter is optional. When it is not specified or is an empty array,
the API key has a point in time snapshot of permissions of the specified user or
access token. If you supply role descriptors, the resultant permissions are an
intersection of API keys permissions and the permissions of the user or access
token. The structure of a role descriptor is the same as the request for <>.
`metadata`:::
(Optional, object) Arbitrary metadata that you want to associate with the API key.
It supports nested data structure.
Within the `metadata` object, keys beginning with `_` are reserved for
system usage.
include::client-authentication.asciidoc[]
`grant_type`::
(Required, string)
The type of grant. Supported grant types are: `access_token`,`password`.
`access_token`:::
In this type of grant, you must supply either an access token, that was created by the
{es} token service (see <> and <>),
or a <> (either a JWT `access_token` or a JWT `id_token`).
`password`:::
In this type of grant, you must supply the user ID and password for which you
want to create the API key.
`password`::
(Required*, string)
The user's password. If you specify the `password` grant type, this parameter is
required. It is not valid with other grant types.
`username`::
(Required*, string)
The user name that identifies the user. If you specify the `password` grant type,
this parameter is required. It is not valid with other grant types.
`run_as`::
(Optional, string)
The name of the user to be <>.
*Indicates that the setting is required in some, but not all situations.
[[security-api-grant-api-key-example]]
==== {api-examples-title}
[source,console]
------------------------------------------------------------
POST /_security/api_key/grant
{
"grant_type": "password",
"username" : "test_admin",
"password" : "x-pack-test-password",
"api_key" : {
"name": "my-api-key",
"expiration": "1d",
"role_descriptors": {
"role-a": {
"cluster": ["all"],
"indices": [
{
"names": ["index-a*"],
"privileges": ["read"]
}
]
},
"role-b": {
"cluster": ["all"],
"indices": [
{
"names": ["index-b*"],
"privileges": ["all"]
}
]
}
},
"metadata": {
"application": "my-application",
"environment": {
"level": 1,
"trusted": true,
"tags": ["dev", "staging"]
}
}
}
}
------------------------------------------------------------
The user (`test_admin`) whose credentials are provided can "run as" another user (`test_user`).
The API key will be granted to the impersonated user (`test_user`).
[source,console]
------------------------------------------------------------
POST /_security/api_key/grant
{
"grant_type": "password",
"username" : "test_admin", <1>
"password" : "x-pack-test-password", <2>
"run_as": "test_user", <3>
"api_key" : {
"name": "another-api-key"
}
}
------------------------------------------------------------
<1> The user for which the credential is provided and performs "run as".
<2> Credential for the above user
<3> The impersonated user for whom the API key will be created for.