From 03050bb8b034f9322fb95b50c0452e0b20bae1a3 Mon Sep 17 00:00:00 2001 From: Aleksandra Spilkowska Date: Thu, 26 Mar 2026 16:21:53 +0100 Subject: [PATCH 1/2] Add Authentication section to mOTLP reference docs Documents the new `ingest` application privilege for Managed Inputs (mOTLP), including examples for creating unrestricted and pipeline-scoped Elasticsearch API keys. --- docs/reference/motlp.md | 59 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/docs/reference/motlp.md b/docs/reference/motlp.md index 50686030..94570eac 100644 --- a/docs/reference/motlp.md +++ b/docs/reference/motlp.md @@ -59,6 +59,65 @@ For {{ech}} deployments, {{motlp}} is currently supported in the following cloud Support for additional regions and cloud providers is in progress and will be expanded over time. ::: +## Authentication + +The {{motlp}} authenticates clients using {{es}} API keys with the `ingest` application privilege. + +:::{note} +The legacy API keys with the `apm` application privilege continue to work for backward compatibility, but they don't support pipeline-scoped access. +::: + +### Create an API key for {{motlp}} + +You can create an API key from the {{kib}} UI or using the {{es}}'s [create API key](/docs/api/doc/elasticsearch/operation/operation-security-create-api-key.md). + +#### Unrestricted key + +The following is an example of an API key with access to all pipelines: + +```bash +POST /_security/api_key +{ + "name": "my-motlp-api-key", + "role_descriptors": { + "motlp_write_role": { + "applications": [ + { + "application": "ingest", + "privileges": ["write"], + "resources": ["*"] + } + ] + } + } +} +``` + +#### Pipeline-scoped key + +The following is an example of an API key restricted to a specific pipeline. You can use one when you want to limit a client, such as an {{product.elastic-agent}} managed by {{product.fleet}}, to ingesting into a single agent policy pipeline: + +```bash +POST /_security/api_key +{ + "name": "fleet_agent_policy_123-api-key", + "expiration": "1d", + "role_descriptors": { + "motlp_pipeline_write_role": { + "applications": [ + { + "application": "ingest", + "privileges": ["write"], + "resources": ["pipeline:.fleet_agent_policy_1"] + } + ] + } + } +} +``` + +The `pipeline:` prefix in the resource name restricts the key to a named pipeline. To grant access to multiple pipelines, list multiple resources in the `resources` array. + ## Send data to Elastic To send data to Elastic through the {{motlp}}, follow the [Send data to the Elastic Cloud Managed OTLP Endpoint](docs-content://solutions/observability/get-started/quickstart-elastic-cloud-otel-endpoint.md) quickstart. From b121ca159456b49fec808c1c33df7c25e807430f Mon Sep 17 00:00:00 2001 From: Aleksandra Spilkowska Date: Fri, 27 Mar 2026 10:50:05 +0100 Subject: [PATCH 2/2] Fix broken API link in motlp.md Authentication section Use full https:// URL instead of relative path for the Elasticsearch create API key API reference link. Co-Authored-By: Claude Sonnet 4.6 --- docs/reference/motlp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/motlp.md b/docs/reference/motlp.md index 94570eac..9d62edf8 100644 --- a/docs/reference/motlp.md +++ b/docs/reference/motlp.md @@ -69,7 +69,7 @@ The legacy API keys with the `apm` application privilege continue to work for ba ### Create an API key for {{motlp}} -You can create an API key from the {{kib}} UI or using the {{es}}'s [create API key](/docs/api/doc/elasticsearch/operation/operation-security-create-api-key.md). +You can create an API key from the {{kib}} UI or using the {{es}} [create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key). #### Unrestricted key