Skip to content

[Serverless] Docs how Elastic Cloud API keys affect rule behavior#6722

Open
nastasha-solomon wants to merge 24 commits into
mainfrom
issue-702
Open

[Serverless] Docs how Elastic Cloud API keys affect rule behavior#6722
nastasha-solomon wants to merge 24 commits into
mainfrom
issue-702

Conversation

@nastasha-solomon

@nastasha-solomon nastasha-solomon commented May 26, 2026

Copy link
Copy Markdown
Member

Summary

Fixes https://github.com/elastic/docs-content-internal/issues/702 by documenting how Elastic Cloud API keys work with alerting rules in Serverless projects.

Added: Rules and Elastic Cloud API keys in Serverless (new page)

File: explore-analyze/alerting/alerts/rules-and-elastic-cloud-api-keys.md

Preview: Rules and Elastic Cloud API keys in Serverless

Summary of changes:

  • Page explains how Elastic Cloud API keys authorize Serverless alerting rules and how they differ from Elasticsearch API keys (roles vs privileges)
  • Covered three key behaviors that apply to all Serverless rules: role assignments are captured when a rule is saved, role definition changes propagate to rule access, and rules continue running when the key owner leaves the organization
  • Included migration context and fallback key behavior for organizations that went through Elastic's migration from Elasticsearch API keys
  • Provided a post-migration checklist with time-boxed actions (right after migration and within 90 days) for verifying rules are running correctly

NOTE: Several sections contain SME review comments flagging claims that need technical verification before publishing (API key expiration defaults, expiration email behavior).

Added: API key rules snippet

File: solutions/_snippets/api-key-rules.md

Preview: Index threshold

Summary of changes:

Snippet is a note containing a brief explanation that rules use an API key to authorize background tasks, and to point them to the right reference page for their deployment type (Elasticsearch API keys for Stack, Elastic Cloud API keys for Serverless). Snippet was added to 21 Observability and Stack Management rule-related pages in the docs.

Updated: Detection rule concepts

File: solutions/security/detect-and-alert/detection-rule-concepts.md

Preview: Detection rule concepts

Summary of changes:

  • In the "Rule authorization" section, added a reference to the "Elastic Cloud API keys" page for Serverless-specific details.
  • Moved note about insufficient user privileges into its own subsection ("Impact of insufficient user privileges") to separate the concept from the remediation and remove duplicate information.
  • Updated the rule authorization definition in the key terms quick reference to include deployment-specific descriptions.

Updated: Alerting | Authentication (Observability incident management)

File: solutions/observability/incident-management/alerting.md

Preview: Alerting | Authentication

Summary of changes:
Added a reference to the "Elastic Cloud API keys" page for Serverless-specific details.

Updated: Setup Kibana alerting | API keys

File: explore-analyze/alerting/alerts/alerting-setup.md

Preview: Setup Kibana alerting | API keys

Summary of changes:
Added a reference to the "Elastic Cloud API keys" page for Serverless-specific details.

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes - Cursor + Claude
  • No

@nastasha-solomon nastasha-solomon self-assigned this May 26, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Elastic Docs AI PR menu

Check the box to run an AI review for this pull request.

  • Review docs changes (docs-review). Status: not started.

Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team.

@github-actions

github-actions Bot commented May 26, 2026

Copy link
Copy Markdown
Contributor

🔍 Preview links for changed docs

More links …

@github-actions

github-actions Bot commented May 26, 2026

Copy link
Copy Markdown
Contributor

Elastic Docs Style Checker (Vale)

Summary: 2 suggestions found

💡 Suggestions (2): Optional style improvements. Apply when helpful.
File Line Rule Message
explore-analyze/alerting/alerts/rules-and-elastic-cloud-api-keys.md 28 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
solutions/security/detect-and-alert/detection-rule-concepts.md 116 Elastic.WordChoice Consider using 'run, start' instead of 'execute', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@tiamliu

tiamliu commented May 30, 2026

Copy link
Copy Markdown

@nastasha-solomon reviewed. Thank you

Comment thread solutions/_snippets/api-key-rules.md
Comment thread explore-analyze/alerting/alerts/alerting-setup.md Outdated
Comment thread explore-analyze/alerting/alerts/rules-and-elastic-cloud-api-keys.md Outdated
Comment thread explore-analyze/alerting/alerts/rules-and-elastic-cloud-api-keys.md Outdated
Comment thread explore-analyze/alerting/alerts/rules-and-elastic-cloud-api-keys.md Outdated
@nastasha-solomon nastasha-solomon changed the title [UIAM API key] Adds docs for Elastic Cloud API keys and rules [UIAM API key] Adds docs for how rules in serverless projects use Elastic Cloud API Jun 23, 2026
@nastasha-solomon nastasha-solomon changed the title [UIAM API key] Adds docs for how rules in serverless projects use Elastic Cloud API [Serverless] Docs how Elastic Cloud API keys affect rule behavior Jun 23, 2026

:::{dropdown} Within 90 days
<!-- SME REVIEW: "Review API key expiration" is not in the source of truth. Verify the 90-day default expiry, that expired keys stop rules, and that Elastic sends expiration warning emails to the key creator and operational contacts. -->
- **Review API key expiration**: {{ecloud}} API keys expire after 90 days by default. When a key expires, dependent rules stop running. Check the expiration date for keys created during migration and extend or adjust them if 90 days is too short for your use case. Elastic sends an expiration warning email to the key creator and operational contacts as the date approaches.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK API Keys have no expiration date, we better verify this with the security team.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 369c117 (this PR).

@ersin-erdal ersin-erdal left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Left a comment about API Key expiration date.

:::{dropdown} Right after migration
- **Check rule execution status**: Go to **{{stack-manage-app}} > {{rules-ui}}** or your app's rules page and review the last run status for all rules. Investigate any rules showing a failed or warning status before moving on. If you use Elastic Security detection rules, also check for gaps caused by the migration. Refer to [Fill rule execution gaps](/solutions/security/detect-and-alert/fill-rule-gaps.md) for instructions.

- **Resolve migration errors promptly**: If the UI shows API key errors for a rule, open the rule and save it with a valid user following the in-product prompts. Rules with missing owners or invalid role assignments won't run until resolved.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not necessarily true, the rules should continue running and will fall back on ES api keys. However, there's an in app UI indicator letting users know when UIAM api keys is not available for the rule. Users can take a manual action on the rule in the UI to trigger the creation of a new UIAM api key for said rule.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 369c117 (this PR).


:::{dropdown} Within 90 days
<!-- SME REVIEW: "Review API key expiration" is not in the source of truth. Verify the 90-day default expiry, that expired keys stop rules, and that Elastic sends expiration warning emails to the key creator and operational contacts. -->
- **Review API key expiration**: {{ecloud}} API keys expire after 90 days by default. When a key expires, dependent rules stop running. Check the expiration date for keys created during migration and extend or adjust them if 90 days is too short for your use case. Elastic sends an expiration warning email to the key creator and operational contacts as the date approaches.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants