mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-06-28 17:34:17 -04:00
a579504e11
With this commit we remove the `auto_configure` privilege for the Fleet service account that targets profiling-related indices. This privilege was needed to automatically create indices and data streams in the past but as this managed by the Elasticsearch plugin, there is no need to grant this privilege to Fleet-managed components.
269 lines
6.1 KiB
Text
269 lines
6.1 KiB
Text
[role="xpack"]
|
|
[[security-api-get-service-accounts]]
|
|
=== Get service accounts API
|
|
|
|
++++
|
|
<titleabbrev>Get service accounts</titleabbrev>
|
|
++++
|
|
|
|
Retrieves information about <<service-accounts,service accounts>>.
|
|
|
|
NOTE: Currently, only the `elastic/fleet-server` service account is available.
|
|
|
|
[[security-api-get-service-accounts-request]]
|
|
==== {api-request-title}
|
|
|
|
`GET /_security/service`
|
|
|
|
`GET /_security/service/<namespace>`
|
|
|
|
`GET /_security/service/<namespace>/<service>`
|
|
|
|
[[security-api-get-service-accounts-prereqs]]
|
|
==== {api-prereq-title}
|
|
|
|
* To use this API, you must have at least the `manage_service_account`
|
|
<<privileges-list-cluster,cluster privilege>>.
|
|
|
|
[[security-api-get-service-accounts-desc]]
|
|
==== {api-description-title}
|
|
|
|
This API returns a list of service accounts that match the provided path parameter(s).
|
|
|
|
[[security-api-get-service-accounts-path-params]]
|
|
==== {api-path-parms-title}
|
|
|
|
`namespace`::
|
|
(Optional, string) Name of the namespace. Omit this parameter to retrieve information about all service accounts. If you omit this parameter, you must also omit the `service` parameter.
|
|
|
|
`service`::
|
|
(Optional, string) Name of the service name. Omit this parameter to
|
|
retrieve information about all service accounts that belong to the specified
|
|
`namespace`.
|
|
|
|
[[security-api-get-service-accounts-response-body]]
|
|
==== {api-response-body-title}
|
|
|
|
A successful call returns a JSON object of service accounts. The API returns an
|
|
empty object if no service account is found.
|
|
|
|
[[security-api-get-service-accounts-example]]
|
|
==== {api-examples-title}
|
|
|
|
To following request retrieves a service account for the `elastic/fleet-server`
|
|
service account:
|
|
|
|
[source,console]
|
|
----
|
|
GET /_security/service/elastic/fleet-server
|
|
----
|
|
|
|
[source,console-result]
|
|
----
|
|
{
|
|
"elastic/fleet-server": {
|
|
"role_descriptor": {
|
|
"cluster": [
|
|
"monitor",
|
|
"manage_own_api_key",
|
|
"read_fleet_secrets"
|
|
],
|
|
"indices": [
|
|
{
|
|
"names": [
|
|
"logs-*",
|
|
"metrics-*",
|
|
"traces-*",
|
|
".logs-endpoint.diagnostic.collection-*",
|
|
".logs-endpoint.action.responses-*",
|
|
".logs-endpoint.heartbeat-*"
|
|
],
|
|
"privileges": [
|
|
"write",
|
|
"create_index",
|
|
"auto_configure"
|
|
],
|
|
"allow_restricted_indices": false
|
|
},
|
|
{
|
|
"names": [
|
|
"profiling-*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write"
|
|
],
|
|
"allow_restricted_indices": false
|
|
},
|
|
{
|
|
"names": [
|
|
"traces-apm.sampled-*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"monitor",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": false
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-secrets*"
|
|
],
|
|
"privileges": [
|
|
"read"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-actions*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-agents*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-artifacts*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-enrollment-api-keys*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-policies*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-policies-leader*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-servers*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
".fleet-fileds*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"monitor",
|
|
"create_index",
|
|
"auto_configure",
|
|
"maintenance"
|
|
],
|
|
"allow_restricted_indices": true
|
|
},
|
|
{
|
|
"names": [
|
|
"synthetics-*"
|
|
],
|
|
"privileges": [
|
|
"read",
|
|
"write",
|
|
"create_index",
|
|
"auto_configure"
|
|
],
|
|
"allow_restricted_indices": false
|
|
}
|
|
],
|
|
"applications": [
|
|
{
|
|
"application": "kibana-*",
|
|
"privileges": [
|
|
"reserved_fleet-setup"
|
|
],
|
|
"resources": [
|
|
"*"
|
|
]
|
|
}
|
|
],
|
|
"run_as": [],
|
|
"metadata": {},
|
|
"transient_metadata": {
|
|
"enabled": true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
Omit the `namespace` and `service` to retrieve all service accounts:
|
|
|
|
[source,console]
|
|
----
|
|
GET /_security/service
|
|
----
|