Metricbeat User Permission


I am trying to create an user for metricbeat for sending metrics to elasticsearch with limited access (creating the metricbeat indices and adding logs into it). I am getting this error after configuring the metricbeat user:
Exiting: Error importing Kibana dashboards: fail to create the Elasticsearch loader: Error creating Elasticsearch client: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=metricbeat-client, roles=[metricbeat-client], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=metricbeat-client, roles=[metricbeat-client], requestedTenant=null]"},"status":403}]

The configuration for role:

My metricbeat.yml file is:

    path: ${path.config}/modules.d/*.yml
    # Reload module configs as they change:
    reload.enabled: false

    - type: docker
      hints.enabled: true

  - module: docker
      - "container"
      - "cpu"
      - "diskio"
      - "healthcheck"
      - "info"
      #- "image"
      - "memory"
      - "network"
    hosts: ["unix:///var/run/docker.sock"]
    period: 10s
    enabled: true

tags: ["${ES_IDENTIFIER}"]

  - add_cloud_metadata: ~
  - add_host_metadata: ~

  hosts: ["https://${ELK_HOST}:9200"]
  index: "metricbeat-${ES_IDENTIFIER}-%{+yyyy.MM.dd}"
  username: ${METRICBEAT_USER}
  ssl.certificate_authorities: ["/crts/certificate.crt"] "metricbeat-${ES_IDENTIFIER}"
setup.template.pattern: "metricbeat-${ES_IDENTIFIER}-*" "${ELK_HOST}:5601"
setup.kibana.protocol: "https"
setup.kibana.ssl.enabled: true
setup.kibana.ssl.verification_mode: full
setup.kibana.ssl.certificate_authorities: ["/crts/ca.pem"]
setup.dashboards.index: "metricbeat-${ES_IDENTIFIER}-*"
setup.dashboards.enabled: true

Please help…

For now I am pushing metrics using admin user.


Can anyone help me out with this?


Solved it.

Current user configuration:


@Nishant from the screenshots it looks like you have configured cluster level permissions. Can you share what your “Index Permissions” are?




Can you add CLUSTER_MONITOR to your cluster permissions?

Metrics Beats may also be trying to create index templates so could you try adding the following to the cluster permissions?

  • indices:admin/template/get
  • indices:admin/template/put

On your index permissions can you use CRUD and CREATE INDEX?

1 Like

It worked… Thanks.
So my cluster level permission containes CLUSTER_MONITOR, INDICES_ALL and index level permission containes CRUD, CREATE_INDEX, indices:admin/template/get and *indices:admin/template/put


That looks right. You should be able to drop INDICES_ALL from the cluster level permissions since you have the specific indices:admin/template/get and indices:admin/template/put explicitly defined.


Yes, it is working fine…