Serverless admin user and API-only key workflow improvements#7277
Conversation
Elastic Docs AI PR menuCheck the box to run an AI review for this pull request.
Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team. |
🔍 Preview links for changed docs |
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
|
I think this is a good direction if we have decided to advertise the built-in admin user/password. That said, I would like to defer to @bytebilly on how we are communicating this, given that it is going into public documentation. Given that, the admin user is:
Now that I am writing this ... I wonder if we should also seek guidance from our Infosec team on any risks they see in documenting the details publicly 😅 |
wajihaparvez
left a comment
There was a problem hiding this comment.
LGTM! Can have another look if the content needs to be changed
bytebilly
left a comment
There was a problem hiding this comment.
I'd like to consider framing the admin credentials as not being a user, since they're not from a high-level perspective. They're more similar to an API key, and they should be used for programmatic access only.
Co-authored-by: wajihaparvez <wajiha.parvez@elastic.co>
|
@ppf2 , if possible we'd like to get your final review here after the latest updates. |
|
@kunisen Would you mind lending a second pair of eyes on this? I know this is a topic that's close to your heart 🙂 |
|
Thanks @ppf2 for your comment 🙏 Overall@bytebilly has already given LGTM, so I am also good with the statement :) [1]@eedugon I have one question:
I guess no? (Because API key with ES/Kibana API access is fairly recent feature IIRC). Then WDYT we add:
So that we can make it more clear that this credential actually is not at the same level of API keys, to make it more explanatory of why we recommend API keys. (I can see it's also in line with what Seb said in this comment - [2]
@eedugon per the comment from Seb, I take the reason of keeping admin user is "for backward compatibility reasons only (don't break the automation of existing customers)". Do you think it's good to add this into the doc? Something like,
It doesn't mean I am against with the statement. Hope it makes logical sense and thank you! |
|
@kunisen , I'll allow @bytebilly to add more context if he considers necessary.
Yes it does, not as an API key, but with user / password authentication. And precisely because of that we don't want to highlight the user and password or examples too much. We just say that they are default credentials to access the projects (which is true and valid), that they should be kept safe, and that they can be reset.
I don't see the reason to add such a context, but if @bytebilly wants we can somehow tweak this sentence and make it a bit longer:
Update: I forgot about this:
That was the goal I had in mind initially, but it's not the real goal here, sorry for the confusion. The goal is to make user our users use Elastic Cloud API keys to access Elasticsearch and Kibana programmatically, and don't use these credentials. The secondary goal is to reduce the visibility of these credentials as an option. But we have decided to not remove them entirely because they are still returned by the create project API. |
|
I'm not sure we want to mention backward compatibility, since in Serverless it's always been the case. |
kunisen
left a comment
There was a problem hiding this comment.
Thanks both! Now I got the full picture and everything is clear on my side! 🙇 It looks great!
|
Perfect, merging then! Thanks all! |
Summary
Clarifies the confusion around the built-in
adminuser returned when creatingServerless projects via the API (see elastic/docs-content-internal#546).
manage-serverless-projects-using-api:Cloud resource Admin scoped to all projects) and the difference between Cloud API
and Cloud + Elasticsearch/Kibana API access.
adminuser is, why it exists, andrecommending Elastic Cloud API keys with project access instead.
adminuser, with use cases.differences-from-other-elasticsearch-offerings: added a footnote to theNative realm authentication row noting the single built-in
adminuser, so thecomparison table no longer contradicts the API docs.
Closes https://github.com/elastic/docs-content-internal/issues/546
Generative AI disclosure