@@ -41,15 +41,30 @@ The following parameters can be specified in the body of a POST or PUT request:
4141(Optional, array-of-role-descriptor) An array of role descriptors for this API
4242key. This parameter is optional. When it is not specified or is an empty array,
4343then the API key will have a _point in time snapshot of permissions of the
44- authenticated user_. If you supply role descriptors then the resultant permissions
45- would be an intersection of API keys permissions and authenticated user's permissions
46- thereby limiting the access scope for API keys.
47- The structure of role descriptor is the same as the request for create role API.
48- For more details, see <<security-api-roles,role management APIs>>.
44+ authenticated user_. If you supply role descriptors then the resultant
45+ permissions would be an intersection of API keys permissions and authenticated
46+ user's permissions thereby limiting the access scope for API keys. The structure
47+ of role descriptor is the same as the request for create role API. For more
48+ details, see <<security-api-roles,role management APIs>>.
49+ +
50+ --
51+ NOTE: Due to the way in which this permission intersection is calculated, it is
52+ not possible to create an API key that is a child of another API key, unless the
53+ derived key is created without any privileges. In this case, you must explicitly
54+ specify a role descriptor with no privileges. The derived API key can be used
55+ for authentication; it will not have authority to call {es} APIs.
56+
57+ --
4958
5059`expiration`::
5160(string) Optional expiration time for the API key. By default, API keys never expire.
5261
62+ ==== Authorization
63+
64+ IMPORTANT: If the credential that is used to authenticate this request is
65+ an API key, the derived API key cannot have any privileges. If you specify
66+ privileges, the API returns an error. See the note under `role_descriptors`.
67+
5368==== Examples
5469
5570The following example creates an API key:
0 commit comments