From 5ef31db886ef84b505fbc360fc095528205a7283 Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Mon, 3 Nov 2025 16:12:23 +0100 Subject: [PATCH 1/3] Document API key privileges for MCP server access Adds sections on API key application privileges for development and production environments --- solutions/search/agent-builder/mcp-server.md | 60 +++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/solutions/search/agent-builder/mcp-server.md b/solutions/search/agent-builder/mcp-server.md index d9a1180e34..966900c9fd 100644 --- a/solutions/search/agent-builder/mcp-server.md +++ b/solutions/search/agent-builder/mcp-server.md @@ -57,5 +57,63 @@ export API_KEY="your-api-key" For information on generating API keys, refer to [API keys](https://www.elastic.co/docs/solutions/search/search-connection-details). -Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. +Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. Refer to ::: + +## API key application privileges + +To access the MCP server endpoint, your API key must include {{kib}} application privileges. + +### Development and testing + +For development and testing purposes, you can create an unrestricted API key with full access: + +```json +POST /_security/api_key +{ + "name": "my-mcp-api-key", + "expiration": "1d", + "role_descriptors": { + "unrestricted": { + "cluster": ["all"], + "indices": [ + { + "names": ["*"], + "privileges": ["all"] + } + ] + } + } +} +``` + +### Production + +For production environments, use a restricted API key with specific application privileges: + +```json +POST /_security/api_key +{ + "name": "my-mcp-api-key", + "expiration": "1d", + "role_descriptors": { + "mcp-access": { + "cluster": ["all"], + "indices": [ + { + "names": ["*"], + "privileges": ["read", "view_index_metadata"] + } + ], + "applications": [ + { + "application": "kibana-.kibana", + "privileges": ["read_onechat", "space_read"], <1> + "resources": ["space:default"] + } + ] + } + } +} +``` +1. The `read_onechat` and `space_read` application privileges are required to authorize access to the MCP endpoint. Without these privileges, you'll receive a 403 Forbidden error. From 8ddf09033f669891334116cee698f2af79e2a68a Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Mon, 3 Nov 2025 16:13:52 +0100 Subject: [PATCH 2/3] add links --- solutions/search/agent-builder/mcp-server.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/solutions/search/agent-builder/mcp-server.md b/solutions/search/agent-builder/mcp-server.md index 966900c9fd..a2f294de91 100644 --- a/solutions/search/agent-builder/mcp-server.md +++ b/solutions/search/agent-builder/mcp-server.md @@ -40,12 +40,13 @@ Most MCP clients (such as Claude Desktop, Cursor, VS Code, etc.) have similar co ], "env": { "KIBANA_URL": "${KIBANA_URL}", - "AUTH_HEADER": "ApiKey ${API_KEY}" + "AUTH_HEADER": "ApiKey ${API_KEY}" <1> } } } } ``` +1. Refer to [](API key application privileges) :::{note} Set the following environment variables: @@ -57,7 +58,7 @@ export API_KEY="your-api-key" For information on generating API keys, refer to [API keys](https://www.elastic.co/docs/solutions/search/search-connection-details). -Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. Refer to +Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. To learn more, refer to [](API key application privileges). ::: ## API key application privileges From f247ee404400d68cf1c1b84c5e5b7cca64e35de5 Mon Sep 17 00:00:00 2001 From: Liam Thompson Date: Mon, 3 Nov 2025 16:14:36 +0100 Subject: [PATCH 3/3] use real syntax --- solutions/search/agent-builder/mcp-server.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/solutions/search/agent-builder/mcp-server.md b/solutions/search/agent-builder/mcp-server.md index a2f294de91..b486d58d91 100644 --- a/solutions/search/agent-builder/mcp-server.md +++ b/solutions/search/agent-builder/mcp-server.md @@ -46,7 +46,7 @@ Most MCP clients (such as Claude Desktop, Cursor, VS Code, etc.) have similar co } } ``` -1. Refer to [](API key application privileges) +1. Refer to [](#api-key-application-privileges) :::{note} Set the following environment variables: @@ -58,7 +58,7 @@ export API_KEY="your-api-key" For information on generating API keys, refer to [API keys](https://www.elastic.co/docs/solutions/search/search-connection-details). -Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. To learn more, refer to [](API key application privileges). +Tools execute with the scope assigned to the API key. Make sure your API key has the appropriate permissions to only access the indices and data that you want to expose through the MCP server. To learn more, refer to [](#api-key-application-privileges). ::: ## API key application privileges