diff --git a/deploy-manage/remote-clusters/_snippets/allow-connection-intro.md b/deploy-manage/remote-clusters/_snippets/allow-connection-intro.md
new file mode 100644
index 0000000000..8afbdba98b
--- /dev/null
+++ b/deploy-manage/remote-clusters/_snippets/allow-connection-intro.md
@@ -0,0 +1,7 @@
+Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
+
+API key
+: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
+
+TLS certificate (deprecated in {{stack}} 9.0.0)
+: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user's role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-create-key.md b/deploy-manage/remote-clusters/_snippets/apikeys-create-key.md
new file mode 100644
index 0000000000..6161f0073b
--- /dev/null
+++ b/deploy-manage/remote-clusters/_snippets/apikeys-create-key.md
@@ -0,0 +1,2 @@
+* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](/deploy-manage/api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
+* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-intro.md b/deploy-manage/remote-clusters/_snippets/apikeys-intro.md
new file mode 100644
index 0000000000..a251de7a56
--- /dev/null
+++ b/deploy-manage/remote-clusters/_snippets/apikeys-intro.md
@@ -0,0 +1,7 @@
+API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
+
+All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
+
+On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
+
+If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md b/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md
new file mode 100644
index 0000000000..efcd7836a4
--- /dev/null
+++ b/deploy-manage/remote-clusters/_snippets/apikeys-local-ece-remote-public.md
@@ -0,0 +1,23 @@
+1. [Log into the Cloud UI](/deploy-manage/deploy/cloud-enterprise/log-into-cloud-ui.md).
+2. On the **Deployments** page, select your deployment.
+
+ Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
+
+3. From the deployment menu, select **Security**.
+4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
+
+ 1. Fill both fields.
+
+ * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
+ * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
+
+ 2. Click **Add** to save the API key to the keystore.
+
+5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**.
+
+ ::::{note}
+ If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
+ ::::
+
+
+If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](/deploy-manage/remote-clusters/ece-edit-remove-trusted-environment.md#ece-edit-remove-trusted-environment-api-key).
diff --git a/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md b/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md
new file mode 100644
index 0000000000..5d91cfb8dd
--- /dev/null
+++ b/deploy-manage/remote-clusters/_snippets/apikeys-local-ech-remote-public.md
@@ -0,0 +1,23 @@
+1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
+2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments.
+
+ On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
+
+3. From the navigation menu, select **Security**.
+4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
+
+ 1. Fill both fields.
+
+ * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
+ * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
+
+ 2. Click **Add** to save the API key.
+
+5. Restart the local deployment to reload the new setting. To do that, go to the deployment's main page (named after your deployment's name), locate the **Actions** menu, and select **Restart {{es}}**.
+
+ ::::{note}
+ If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
+ ::::
+
+
+If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](/deploy-manage/remote-clusters/ec-edit-remove-trusted-environment.md#ec-edit-remove-trusted-environment-api-key).
diff --git a/deploy-manage/remote-clusters/_snippets/configure-roles-and-users.md b/deploy-manage/remote-clusters/_snippets/configure-roles-and-users.md
new file mode 100644
index 0000000000..7a7110dba1
--- /dev/null
+++ b/deploy-manage/remote-clusters/_snippets/configure-roles-and-users.md
@@ -0,0 +1,3 @@
+% this will need improvement in a future PR, as the text below is only valid for API key based security model
+
+If you're using the API key based security model, to use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](/deploy-manage/remote-clusters/remote-clusters-api-key.md#remote-clusters-privileges-api-key).
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
index a1db6c5127..c5ac2c8e02 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-ece.md
@@ -22,25 +22,15 @@ If network security filters are applied to the remote cluster on ECE, the remote
## Allow the remote connection [ec_allow_the_remote_connection_3]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ec_prerequisites_and_limitations_3]
@@ -50,8 +40,8 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ec_create_a_cross_cluster_api_key_on_the_remote_deployment_3]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
+:::{include} _snippets/apikeys-create-key.md
+:::
### Configure the local deployment [ec_configure_the_local_deployment]
@@ -61,29 +51,9 @@ The API key created previously will be used by the local deployment to authentic
The steps to follow depend on whether the Certificate Authority (CA) of the remote ECE environment’s proxy or load balancing infrastructure is public or private.
::::{dropdown} The CA is public
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments.
-
- On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-
-3. From the navigation menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
-
- 1. Fill both fields.
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key to the keystore.
-
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
- ::::
-
-
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ec-edit-remove-trusted-environment.md#ec-edit-remove-trusted-environment-api-key).
+:::{include} _snippets/apikeys-local-ech-remote-public.md
+:::
::::
@@ -217,4 +187,5 @@ If you’re having issues establishing the connection and the remote cluster is
## Configure roles and users [ec_configure_roles_and_users_3]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
+:::{include} _snippets/configure-roles-and-users.md
+:::
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
index b1c0dda782..95d3ac28e4 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-other-ess.md
@@ -21,24 +21,15 @@ If network security policies are applied to the remote cluster, the remote clust
## Allow the remote connection [ec_allow_the_remote_connection_2]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ec_prerequisites_and_limitations_2]
@@ -49,37 +40,16 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ec_create_a_cross_cluster_api_key_on_the_remote_deployment_2]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
-
+:::{include} _snippets/apikeys-create-key.md
+:::
### Add the cross-cluster API key to the keystore of the local deployment [ec_add_the_cross_cluster_api_key_to_the_keystore_of_the_local_deployment_2]
The API key created previously will be used by the local deployment to authenticate with the corresponding set of permissions to the remote deployment. For that, you need to add the API key to the local deployment’s keystore.
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments.
-
- On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-
-3. From the navigation menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
-
- 1. Fill both fields.
-
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key to the keystore.
-
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
- ::::
-
+:::{include} _snippets/apikeys-local-ech-remote-public.md
+:::
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ec-edit-remove-trusted-environment.md#ec-edit-remove-trusted-environment-api-key).
::::::
::::::{tab-item} TLS certificate (deprecated)
@@ -152,4 +122,5 @@ On the local cluster, add the remote cluster using {{kib}} or the {{es}} API.
## Configure roles and users [ec_configure_roles_and_users_2]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
+:::{include} _snippets/configure-roles-and-users.md
+:::
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
index 0689d24390..ae39a1d29b 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-same-ess.md
@@ -21,24 +21,15 @@ If network security policies are applied to the remote cluster, the remote clust
## Allow the remote connection [ec_allow_the_remote_connection]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ec_prerequisites_and_limitations]
@@ -49,37 +40,16 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ec_create_a_cross_cluster_api_key_on_the_remote_deployment]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
-
+:::{include} _snippets/apikeys-create-key.md
+:::
### Add the cross-cluster API key to the local deployment [ec_add_the_cross_cluster_api_key_to_the_local_deployment]
The API key created previously will be used by the local deployment to authenticate with the corresponding set of permissions to the remote deployment. For that, you need to add the API key to the local deployment.
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments.
-
- On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-
-3. From the navigation menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
-
- 1. Fill both fields.
-
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key.
-
-5. Restart the local deployment to reload the new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step.
- ::::
-
+:::{include} _snippets/apikeys-local-ech-remote-public.md
+:::
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ec-edit-remove-trusted-environment.md#ec-edit-remove-trusted-environment-api-key).
::::::
::::::{tab-item} TLS certificate (deprecated)
@@ -227,4 +197,5 @@ The response will include just the remote clusters from the same {{ecloud}} orga
## Configure roles and users [ec_configure_roles_and_users]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
+:::{include} _snippets/configure-roles-and-users.md
+:::
diff --git a/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md b/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md
index 04c25ca90f..f18784711a 100644
--- a/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md
+++ b/deploy-manage/remote-clusters/ec-remote-cluster-self-managed.md
@@ -16,24 +16,15 @@ This section explains how to configure a deployment to connect remotely to self-
## Allow the remote connection [ec_allow_the_remote_connection_4]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ec_prerequisites_and_limitations_4]
@@ -44,9 +35,8 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ec_create_a_cross_cluster_api_key_on_the_remote_deployment_4]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
-
+:::{include} _snippets/apikeys-create-key.md
+:::
### Configure the local deployment [ec_configure_the_local_deployment_2]
@@ -55,29 +45,9 @@ The API key created previously will be used by the local deployment to authentic
The steps to follow depend on whether the Certificate Authority (CA) of the remote environment’s {{es}} HTTPS server, proxy or, load balancing infrastructure is public or private.
::::{dropdown} The CA is public
-1. Log in to the [{{ecloud}} Console](https://cloud.elastic.co?page=docs&placement=docs-body).
-2. On the home page, find your hosted deployment and select **Manage** to access it directly. Or, select **Hosted deployments** to go to the **Hosted deployments** page to view all of your deployments.
-
- On the **Hosted deployments** page you can narrow your deployments by name, ID, or choose from several other filters. To customize your view, use a combination of filters, or change the format from a grid to a list.
-
-3. From the navigation menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
-
- 1. Fill both fields.
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key to the keystore.
-
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
- ::::
-
-
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ec-edit-remove-trusted-environment.md#ec-edit-remove-trusted-environment-api-key).
+:::{include} _snippets/apikeys-local-ech-remote-public.md
+:::
::::
@@ -231,4 +201,5 @@ On the local cluster, add the remote cluster using {{kib}} or the {{es}} API.
## Configure roles and users [ec_configure_roles_and_users_4]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
+:::{include} _snippets/configure-roles-and-users.md
+:::
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
index cf9d1df6dd..9596344756 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-ece-ess.md
@@ -22,24 +22,15 @@ If network security filters are applied to the remote cluster on {{ecloud}}, the
## Allow the remote connection [ece_allow_the_remote_connection_3]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ece_prerequisites_and_limitations_3]
@@ -49,37 +40,15 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ece_create_a_cross_cluster_api_key_on_the_remote_deployment_3]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
-
+:::{include} _snippets/apikeys-create-key.md
+:::
### Add the cross-cluster API key to the keystore of the local deployment [ece_add_the_cross_cluster_api_key_to_the_keystore_of_the_local_deployment_2]
The API key created previously will be used by the local deployment to authenticate with the corresponding set of permissions to the remote deployment. For that, you need to add the API key to the local deployment’s keystore.
-1. [Log into the Cloud UI](../deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. On the **Deployments** page, select your deployment.
-
- Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
-
-3. From the deployment menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
-
- 1. Fill both fields.
-
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key to the keystore.
-
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
- ::::
-
-
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ece-edit-remove-trusted-environment.md#ece-edit-remove-trusted-environment-api-key).
+:::{include} _snippets/apikeys-local-ece-remote-public.md
+:::
::::::
::::::{tab-item} TLS certificate (deprecated)
@@ -160,4 +129,5 @@ This configuration of remote clusters uses the [Proxy mode](/deploy-manage/remot
## Configure roles and users [ece_configure_roles_and_users_3]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
\ No newline at end of file
+:::{include} _snippets/configure-roles-and-users.md
+:::
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
index f32c93d397..9567e4ecc0 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-other-ece.md
@@ -21,24 +21,15 @@ If network security filters are applied to the remote cluster on ECE, the remote
## Allow the remote connection [ece_allow_the_remote_connection_2]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ece_prerequisites_and_limitations_2]
@@ -47,9 +38,8 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ece_create_a_cross_cluster_api_key_on_the_remote_deployment_2]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
-
+:::{include} _snippets/apikeys-create-key.md
+:::
### Configure the local deployment [ece_configure_the_local_deployment]
@@ -58,29 +48,9 @@ The API key created previously will be used by the local deployment to authentic
The steps to follow depend on whether the Certificate Authority (CA) of the remote ECE environment’s proxy or load balancing infrastructure is public or private.
::::{dropdown} The CA is public
-1. [Log into the Cloud UI](../deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. On the **Deployments** page, select your deployment.
-
- Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
-
-3. From the deployment menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
- 1. Fill both fields.
-
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key to the keystore.
-
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
- ::::
-
-
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ece-edit-remove-trusted-environment.md#ece-edit-remove-trusted-environment-api-key).
+:::{include} _snippets/apikeys-local-ece-remote-public.md
+:::
::::
@@ -236,4 +206,5 @@ If you’re having issues establishing the connection and the remote cluster is
## Configure roles and users [ece_configure_roles_and_users_2]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
\ No newline at end of file
+:::{include} _snippets/configure-roles-and-users.md
+:::
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md b/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
index 51eae4e66d..0ff3d7350c 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-same-ece.md
@@ -21,24 +21,15 @@ If network security filters are applied to the remote cluster, the remote cluste
## Allow the remote connection [ece_allow_the_remote_connection]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ece_prerequisites_and_limitations]
@@ -48,37 +39,15 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ece_create_a_cross_cluster_api_key_on_the_remote_deployment]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
-
+:::{include} _snippets/apikeys-create-key.md
+:::
### Add the cross-cluster API key to the keystore of the local deployment [ece_add_the_cross_cluster_api_key_to_the_keystore_of_the_local_deployment]
The API key created previously will be used by the local deployment to authenticate with the corresponding set of permissions to the remote deployment. For that, you need to add the API key to the local deployment’s keystore.
-1. [Log into the Cloud UI](../deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. On the **Deployments** page, select your deployment.
-
- Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
-
-3. From the deployment menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
-
- 1. Fill both fields.
-
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key to the keystore.
-
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
- ::::
-
-
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ece-edit-remove-trusted-environment.md#ece-edit-remove-trusted-environment-api-key).
+:::{include} _snippets/apikeys-local-ece-remote-public.md
+:::
::::::
::::::{tab-item} TLS certificate (deprecated)
@@ -238,4 +207,5 @@ The response includes just the remote clusters from the same ECE environment. In
## Configure roles and users [ece_configure_roles_and_users]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
+:::{include} _snippets/configure-roles-and-users.md
+:::
diff --git a/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md b/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md
index 5458c7fda8..40da4766a5 100644
--- a/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md
+++ b/deploy-manage/remote-clusters/ece-remote-cluster-self-managed.md
@@ -17,24 +17,15 @@ This section explains how to configure a deployment to connect remotely to self-
## Allow the remote connection [ece_allow_the_remote_connection_4]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
+:::{include} _snippets/allow-connection-intro.md
+:::
:::::::{tab-set}
::::::{tab-item} API key
-API key authentication enables a local cluster to authenticate itself with a remote cluster via a [cross-cluster API key](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key). The API key needs to be created by an administrator of the remote cluster. The local cluster is configured to provide this API key on each request to the remote cluster. The remote cluster verifies the API key and grants access, based on the API key’s privileges.
-
-All cross-cluster requests from the local cluster are bound by the API key’s privileges, regardless of local users associated with the requests. For example, if the API key only allows read access to `my-index` on the remote cluster, even a superuser from the local cluster is limited by this constraint. This mechanism enables the remote cluster’s administrator to have full control over who can access what data with cross-cluster search and/or cross-cluster replication. The remote cluster’s administrator can be confident that no access is possible beyond what is explicitly assigned to the API key.
-On the local cluster side, not every local user needs to access every piece of data allowed by the API key. An administrator of the local cluster can further configure additional permission constraints on local users so each user only gets access to the necessary remote data. Note it is only possible to further reduce the permissions allowed by the API key for individual local users. It is impossible to increase the permissions to go beyond what is allowed by the API key.
-
-If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsearch/remote-clusters.md).
+:::{include} _snippets/apikeys-intro.md
+:::
### Prerequisites and limitations [ece_prerequisites_and_limitations_4]
@@ -44,9 +35,8 @@ If you run into any issues, refer to [Troubleshooting](/troubleshoot/elasticsear
### Create a cross-cluster API key on the remote deployment [ece_create_a_cross_cluster_api_key_on_the_remote_deployment_4]
-* On the deployment you will use as remote, use the [{{es}} API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-cross-cluster-api-key) or [{{kib}}](../api-keys/elasticsearch-api-keys.md) to create a cross-cluster API key. Configure it with access to the indices you want to use for {{ccs}} or {{ccr}}.
-* Copy the encoded key (`encoded` in the response) to a safe location. You will need it in the next step.
-
+:::{include} _snippets/apikeys-create-key.md
+:::
### Configure the local deployment [ece_configure_the_local_deployment_2]
@@ -55,29 +45,9 @@ The API key created previously will be used by the local deployment to authentic
The steps to follow depend on whether the Certificate Authority (CA) of the remote environment’s {{es}} HTTPS server, proxy or, load balancing infrastructure is public or private.
::::{dropdown} The CA is public
-1. [Log into the Cloud UI](../deploy/cloud-enterprise/log-into-cloud-ui.md).
-2. On the **Deployments** page, select your deployment.
-
- Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.
-
-3. From the deployment menu, select **Security**.
-4. Locate **Remote Connections > Trust management > Connections using API keys** and select **Add API key**.
- 1. Fill both fields.
-
- * For the **Remote cluster name**, enter the the alias of your choice. You will use this alias to connect to the remote cluster later. It must be lowercase and only contain letters, numbers, dashes and underscores.
- * For the **Cross-cluster API key**, paste the encoded cross-cluster API key.
-
- 2. Click **Add** to save the API key to the keystore.
-
-5. Restart the local deployment to reload the keystore with its new setting. To do that, go to the deployment’s main page (named after your deployment’s name), locate the **Actions** menu, and select **Restart {{es}}**.
-
- ::::{note}
- If the local deployment runs on version 8.14 or greater, you no longer need to perform this step because the keystore is reloaded automatically with the new API keys.
- ::::
-
-
-If you need to update the remote connection with different permissions later, refer to [Change a cross-cluster API key used for a remote connection](ece-edit-remove-trusted-environment.md#ece-edit-remove-trusted-environment-api-key).
+:::{include} _snippets/apikeys-local-ece-remote-public.md
+:::
::::
@@ -233,4 +203,5 @@ This configuration of remote clusters uses the [Proxy mode](/deploy-manage/remot
## Configure roles and users [ece_configure_roles_and_users_4]
-To use a remote cluster for {{ccr}} or {{ccs}}, you need to create user roles with [remote indices privileges](../users-roles/cluster-or-deployment-auth/role-structure.md#roles-remote-indices-priv) on the local cluster. Refer to [Configure roles and users](remote-clusters-api-key.md#remote-clusters-privileges-api-key).
\ No newline at end of file
+:::{include} _snippets/configure-roles-and-users.md
+:::
\ No newline at end of file
diff --git a/deploy-manage/remote-clusters/eck-remote-clusters.md b/deploy-manage/remote-clusters/eck-remote-clusters.md
index 91d57724ac..a85e645faf 100644
--- a/deploy-manage/remote-clusters/eck-remote-clusters.md
+++ b/deploy-manage/remote-clusters/eck-remote-clusters.md
@@ -26,14 +26,8 @@ To create a remote cluster connection to another {{es}} cluster deployed within
### Security models [k8s_security_models]
-Before you start, consider the security model that you would prefer to use for authenticating remote connections between clusters, and follow the corresponding steps.
-
-API key
-: For deployments based on {{stack}} 8.14 or later, you can use an API key to authenticate and authorize cross-cluster operations to a remote cluster. This model offers administrators of both the local and the remote deployment fine-grained access controls.
-
-TLS certificate (deprecated in {{stack}} 9.0.0)
-: This model uses mutual TLS authentication for cross-cluster operations. User authentication is performed on the local cluster and a user’s role names are passed to the remote cluster. A superuser on the local deployment gains total read access to the remote deployment, so it is only suitable for deployments that are in the same security domain.
-
+:::{include} _snippets/allow-connection-intro.md
+:::
### Using the API key security model [k8s_using_the_api_key_security_model]