From 96587219ca6996d0666a64c5cb38760990ae3bc3 Mon Sep 17 00:00:00 2001 From: Aleksandra Spilkowska Date: Thu, 13 Nov 2025 15:41:53 +0100 Subject: [PATCH 1/2] Update EDOT collector auth snippet --- docs/reference/central-configuration.md | 47 +++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/docs/reference/central-configuration.md b/docs/reference/central-configuration.md index 5c3ab433..988e7dd9 100644 --- a/docs/reference/central-configuration.md +++ b/docs/reference/central-configuration.md @@ -65,10 +65,51 @@ To activate {{product.apm-agent}} Central Configuration for EDOT SDKs, follow th You need a valid {{es}} API key to authenticate to the {{es}} endpoint. -::::{include} _snippets/retrieve-credentials.md -:::: +::::: + +:::::{step} Configure authentication for central configuration + +Configure the Collector to validate SDK API keys using `apikeyauth`: + +```yaml +POST /_security/api_key +{ + "name": "apmconfig-opamp-test-sdk", + "metadata": { + "application": "apm" + }, + "role_descriptors": { + "apm": { + "cluster": [], + "indices": [], + "applications": [ + { + "application": "apm", + "privileges": [ + "config_agent:read" + ], + "resources": [ + "*" + ] + } + ], + "run_as": [], + "metadata": {} + } + } +} +``` + +:::{note} +The EDOT Collector doesn't store or embed the {{es}} API key. -Make sure the API key has `config_agent:read` permissions and resources set to `-`. +Each EDOT SDK must send its own API key in the `Authorization` header (for example: `Authorization: ApiKey `). + +The `apikeyauth` extension only validates this API key against {{es}}, ensuring it has the `config_agent:read` privilege for all resources (`"*"`). +::: + +Make sure the API key has the `config_agent:read` privilege and resources set to `*`. +::::: ::::{dropdown} Example JSON payload ```json From ea5e23adbaf3c8e9d88047f7e28920cec8d45c4d Mon Sep 17 00:00:00 2001 From: Aleksandra Spilkowska Date: Tue, 18 Nov 2025 16:39:30 +0100 Subject: [PATCH 2/2] Update API key request --- docs/reference/central-configuration.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/reference/central-configuration.md b/docs/reference/central-configuration.md index 988e7dd9..f181f8e5 100644 --- a/docs/reference/central-configuration.md +++ b/docs/reference/central-configuration.md @@ -67,11 +67,13 @@ You need a valid {{es}} API key to authenticate to the {{es}} endpoint. ::::: -:::::{step} Configure authentication for central configuration +:::::{step} Create an Elasticsearch API key for central configuration -Configure the Collector to validate SDK API keys using `apikeyauth`: +Create an API key with the `config_agent:read` privilege. This API key will be used by EDOT SDKs and validated by the Collector. -```yaml +Use the following API request to generate the key: + +```json POST /_security/api_key { "name": "apmconfig-opamp-test-sdk", @@ -100,15 +102,13 @@ POST /_security/api_key } ``` -:::{note} +::::{note} The EDOT Collector doesn't store or embed the {{es}} API key. Each EDOT SDK must send its own API key in the `Authorization` header (for example: `Authorization: ApiKey `). -The `apikeyauth` extension only validates this API key against {{es}}, ensuring it has the `config_agent:read` privilege for all resources (`"*"`). -::: - -Make sure the API key has the `config_agent:read` privilege and resources set to `*`. +The `apikeyauth` extension only validates this API key against {{es}}, ensuring it includes the `config_agent:read` privilege with `resources: ["*"]`. +:::: ::::: ::::{dropdown} Example JSON payload