Elasticsearch is working on an enhancement for API key authentication for remote clusters, where the identity of the caller is verified to check it matches the one associated with the given cross-cluster API key.

Users can specify the identity they want to associate to the cross-cluster API key when they create it.
Then can also see which cluster identity is associated with existing cross-cluster API keys.

Kibana API key management should allow users to manage the identity information when dealing with cross-cluster API keys, providing a nice user experience for the underlying Elasticsearch functionality.

Related ES Changes: elastic/elasticsearch#134604.

When creating or updating cross-cluster API Keys, we should allow users to specify a Cluster identity. This will be a text field which maps to the cluster_identity property of cross-cluster API Keys.

Requirements

• The display name for this field should be Cluster identity.
• Similar to other optional fields within the API Key workflows, this field should be gated behind a toggle which controls the visibility of the Cluster identity field.
• When the field is empty, we MAY display placeholder text to serve as an example (e.g. CN=host,OU=engineering,DC=example,DC=com).
• This field is optional for cross-cluster API Keys.
• This field is available for both the Create and Update API Key workflows for cross-cluster API Keys.
• This field should NOT be displayed for regular (non-cross-cluster) API Keys.
• Validation for this field shall be performed by Elasticsearch. We should not perform extra validation within Kibana, and we should ensure that errors returned by ES are shown to the user.

Design

Asset: Figma file
Designer: @simosilvestri

New criteria:

• Update the Flyout size to Medium.
• Add a new panel to support Identity Verification functionality.
• When the customer enables the Identity Verification functionality toggle: Display the input field, Show help text explaining the requirement, Include a link to the documentation for additional guidance.
• Flyout -> Move all optional sections to a single area at the bottom of the wizard to improve scannability and reduce cognitive load.
• Flyout -> Make both the expiration date and strong identity verification settings editable
• View API key Details flyout -> show the strong identity verification settings in the overview section, with ability to show/hide and copy the string certificate
• API keys table -> show a key icon next to API key type when the strong identity verification settings is active
• Create API key Details flyout -> Change the toggle titles to Add metadata, Add expiration date and Add strong identity verification

IMPORTANT!
When the customer clicks Create cross cluster API key, defaulting the API Keys table to the Cross-cluster view with the Cross-cluster filter automatically applied to ensure immediate visibility of the newly created API key.