Cloud Access Management
Manage identity and access for an Elastic Cloud organization and its Serverless projects: invite users, assign
predefined or custom roles, and manage Cloud API keys.
Prerequisite: This skill assumes the
cloud-setup skill has already run —
is set in the
environment and the organization context is established. If
is missing, instruct the agent to invoke
cloud-setup first. Do NOT prompt the user for an API key directly.
For project creation, see the cloud-create-project skill. For day-2 project operations (list, update, delete), see
cloud-manage-project. For Elasticsearch-level role management (native users, role mappings, DLS/FLS), see the
elasticsearch-authz skill.
For detailed API endpoints and request schemas, see references/api-reference.md.
Jobs to Be Done
- Invite a user to the organization and assign them a Serverless project role
- List organization members and their current role assignments
- Update a user's roles (org-level or project-level)
- Remove a user from the organization
- Create an additional Cloud API key with scoped roles and expiration
- List and revoke Cloud API keys
- Create a custom role inside a Serverless project with ES cluster, index, and Kibana privileges
- Assign or remove a custom role for a user on a Serverless project using the Cloud API's
- Translate a natural-language access request into invite, role, and API key tasks
Prerequisites
| Item | Description |
|---|
| EC_API_KEY | Cloud API key (set by cloud-setup). Required for all operations. |
| Organization ID | Auto-discovered using . Do not ask the user for it. |
| Project endpoint | Elasticsearch endpoint of a Serverless project. Required only for custom role operations. |
| ES credentials | API key or credentials with privilege on the project. Required only for custom roles. |
| Org owner role | Only Organization owners can create and manage Cloud API keys. Required for API key operations. |
Run
python3 skills/cloud/access-management/scripts/cloud_access.py list-members
to verify that
is valid
and auto-discover the org ID before proceeding with any operation.
Decomposing Access Requests
When the user describes access in natural language (for example, "add Alice to my search project as a developer"), break
the request into discrete tasks before executing.
Step 1 — Identify the components
| Component | Question to answer |
|---|
| Who | New org member (invite) or existing member (role update)? |
| What | Which Serverless project(s) or org-level access? |
| Access level | Predefined role (Admin/Developer/Viewer/Editor) or custom role? |
| API key? | Does the request also need a Cloud API key for programmatic access? |
Step 2 — Check if a predefined role fits
Consult the
predefined roles table below. Prefer predefined roles — only create a custom role when
predefined roles do not provide the required granularity.
Step 3 — Check existing state
Before creating or inviting, check what already exists:
bash
python3 skills/cloud/access-management/scripts/cloud_access.py list-members
python3 skills/cloud/access-management/scripts/cloud_access.py list-api-keys
If the user is already a member, skip the invitation and update their roles instead.
For API key requests, only Organization owners can create and manage Cloud API keys. If the authenticated user does
not have the
role, API key operations will fail with a 403 error. Review the existing keys returned
by
. If an active key already exists
for the same purpose or task with the required roles and
sufficient remaining lifetime, reuse it instead of creating a new one. Two keys with identical permissions are fine when
they serve different purposes (for example, separate CI pipelines), but creating a second key for the same task is
unnecessary and increases the management burden.
Step 4 — Run
Run the appropriate command(s) from
skills/cloud/access-management/scripts/cloud_access.py
. Confirm destructive
actions (remove member, revoke key) with the user before executing.
Step 5 — Verify
After execution, list members or keys again to confirm the change took effect.
Predefined Roles
Organization-level roles
| Role | Cloud API | Description |
|---|
| Organization owner | | Full admin over org, deployments, projects |
| Billing admin | | Manage billing details only |
Serverless project-level roles
| Role | Cloud API | Available on | Description |
|---|
| Admin | | Search, Obs, Security | Full project management, superuser on sign-in |
| Developer | | Search only | Create indices, API keys, connectors, visualizations |
| Viewer | | Search, Obs, Security | Read-only access to project data and features |
| Editor | | Obs, Security | Configure project features, read-only data indices |
| Tier 1 analyst | | Security only | Alert triage, general read, create dashboards |
| Tier 2 analyst | | Security only | Alert triage, begin investigations, create cases |
| Tier 3 analyst | | Security only | Deep investigation, rules, lists, response actions |
| SOC manager | | Security only | Alerts, cases, endpoint policy, response actions |
| Rule author | | Security only | Detection engineering, rule creation |
Project-level roles are assigned during invitation (
POST /organizations/{org_id}/invitations
) or using the role
assignment update (
POST /users/{user_id}/role_assignments
). See
references/api-reference.md for the
JSON schema including the
scope.
Custom Roles (Serverless)
When predefined roles lack the required granularity, create a custom role inside the Serverless project using the
Elasticsearch security API and assign it to users through the Cloud API's
field.
Security: do not assign a predefined Cloud role separately when using a custom role. Custom roles implicitly grant
Viewer-level Cloud access for the project scope. If you also assign
(or any other predefined role) as a
separate Cloud role assignment for the same project, the user receives the
union of both roles when they SSO into
the project — the Viewer stack role is broader than most custom roles and will override the restrictions you intended.
How custom role assignment works
- Predefined roles (, , , etc.) are assigned via Cloud APIs (,
). When the user SSOs into the project, they receive the stack role mapped to their Cloud role (for
example, Cloud maps to the stack role).
- Custom roles are created in the project via the Elasticsearch security API () and assigned via
the Cloud API's field (). When is set, the user gets
only the specified custom role on SSO — not the default stack role for their Cloud role.
- The command sets to the project-type Viewer role (,
, or ) and sets to the custom role name. This ensures the
user can see and access the project in the Cloud console but receives only the custom role's restricted permissions
inside the project.
- Cloud API keys () currently carry Cloud roles only. Support for assigning custom roles to Cloud API
keys is planned and will be documented here once available in production.
Canonical custom-role onboarding flow
- Create the custom role in the project ().
- Invite the user to the organization if they are not already a member (). Do not include project role
assignments in the invitation — the custom role assignment in the next step handles project access.
- Assign the custom role to the user (
assign-custom-role --user-id ... --project-id ... --custom-role-name ...
- Verify with and .
Create a custom role
bash
python3 skills/cloud/access-management/scripts/cloud_access.py create-custom-role \
--role-name marketing-analyst \
--body '{"cluster":[],"indices":[{"names":["marketing-*"],"privileges":["read","view_index_metadata"]}]}'
This calls
PUT /_security/role/{name}
on the project Elasticsearch endpoint.
Naming constraints
Role names must begin with a letter or digit and contain only letters, digits,
,
, and
. Run-as privileges are
not available in Serverless.
When to use custom roles versus predefined
| Scenario | Use |
|---|
| Standard admin/developer/viewer access | Predefined role |
| Read-only access to specific index pattern | Custom role |
| DLS or FLS restrictions | Custom role |
| Kibana feature-level access control | Custom role |
For advanced DLS/FLS patterns (templated queries, ABAC), see the elasticsearch-authz skill.
Examples
Invite a user as a Viewer on a search project
Prompt: "Add
to my search project with read-only access."
bash
python3 skills/cloud/access-management/scripts/cloud_access.py invite-user \
--emails alice@example.com \
--roles '{"project":{"elasticsearch":[{"role_id":"viewer","organization_id":"$ORG_ID","all":false,"project_ids":["$PROJECT_ID"]}]}}'
Replace
and
with the actual IDs. The Viewer role is assigned when the invitation is accepted.
For custom role access, use
after the user has accepted the invitation — do not combine a
predefined role assignment with a custom role for the same project.
Create a CI/CD API key
Prompt: "Create an API key for our CI pipeline that expires in 30 days with editor access to all deployments."
bash
python3 skills/cloud/access-management/scripts/cloud_access.py create-api-key \
--description "CI/CD pipeline" \
--expiration "30d" \
--roles '{"deployment":[{"role_id":"deployment-editor","all":true}]}'
The actual key value is written to a secure temp file (0600 permissions). The stdout JSON contains a
path
instead of the raw secret. Tell the user to retrieve the key from that file — it is shown only once. When the CI
pipeline no longer needs this key, revoke it using
to avoid unused keys accumulating.
Create a custom role for marketing data
Prompt: "Create a role that gives read-only access to marketing-* indices on my search project."
bash
python3 skills/cloud/access-management/scripts/cloud_access.py create-custom-role \
--role-name marketing-reader \
--body '{"cluster":[],"indices":[{"names":["marketing-*"],"privileges":["read","view_index_metadata"]}]}'
Then assign the custom role to a user using the
command, which sets
in the
Cloud API role assignment.
Full custom-role flow for read-only dashboards
Prompt: "Add
to my search project with read-only dashboard access."
bash
# 1) Create custom role in the project
python3 skills/cloud/access-management/scripts/cloud_access.py create-custom-role \
--role-name dashboard-reader \
--body '{"cluster":[],"indices":[],"applications":[{"application":"kibana-.kibana","privileges":["feature_dashboard.read"],"resources":["*"]}]}'
# 2) Invite user to the organization (no project roles — custom role handles access)
python3 skills/cloud/access-management/scripts/cloud_access.py invite-user \
--emails bob@example.com
# 3) After invitation is accepted, assign the custom role via application_roles
python3 skills/cloud/access-management/scripts/cloud_access.py assign-custom-role \
--user-id "$USER_ID" \
--project-id "$PROJECT_ID" \
--project-type elasticsearch \
--custom-role-name dashboard-reader
The user receives Viewer-level Cloud access (can see the project in the console) and
only
permissions when they SSO into the project. Do not also assign
as a separate Cloud role for this project —
doing so would grant the broader Viewer stack role and override the custom role's restrictions.
Update a user's project role
Prompt: "Promote Bob to admin on our observability project."
bash
python3 skills/cloud/access-management/scripts/cloud_access.py assign-role \
--user-id "$USER_ID" \
--roles '{"project":{"observability":[{"role_id":"admin","organization_id":"$ORG_ID","all":false,"project_ids":["$PROJECT_ID"]}]}}'
Replace
,
, and
with actual values. Use
to look up the user ID. To
remove a role assignment, use
with the same
schema.
List all members and their roles
Prompt: "Show me who has access to my organization."
bash
python3 skills/cloud/access-management/scripts/cloud_access.py list-members
The output includes each member's user ID, email, and assigned roles.
Guidelines
- If is not set, do not prompt the user — instruct the agent to invoke cloud-setup first.
- Always confirm destructive actions (remove member, revoke key) with the user before executing.
- Prefer predefined roles over custom roles when they satisfy the access requirement.
- API keys created here are additional keys for CI/CD, scoped access, or team members. The initial key is managed by
cloud-setup.
- Secrets are never printed to stdout or stderr. The script replaces sensitive fields (, ,
) with a placeholder in stdout and writes the full unredacted response to a temporary
file with 0600 (owner-read-only) permissions. The stdout JSON includes a path pointing to that file.
Never attempt to read, extract, or summarize the contents of the secret file. If the user asks for the key, tell
them to open the file at the path. After the user retrieves the secret, advise them to delete the file.
- Cloud API keys inherit roles at creation and cannot be updated — revoke and recreate to change roles.
- API key hygiene — minimize, scope, and expire:
- Before creating a key, always run and check whether an existing key for the same purpose or task
already has the required roles and sufficient remaining lifetime. Keys with identical permissions serving different
purposes (for example, two separate CI pipelines) are legitimate — the goal is to avoid redundant keys for the same
task.
- Always set an that matches the intended task lifetime. Short-lived tasks (CI runs, one-time
migrations) should use short-lived keys (for example, , ).
- After a task is complete, prompt the user to revoke any keys that are no longer needed using . This
applies to both short-lived and long-running keys.
- Long-running keys (for example, monitoring pipelines) should still have a defined expiration and be rotated
periodically rather than set to never expire.
- Each organization supports up to 500 active API keys. Default expiration is 3 months.
- Invitations expire after 72 hours by default. Resend if the user has not accepted.
- For SAML SSO configuration, refer to
Elastic Cloud SAML docs.
- Custom role security — do not over-assign: Never assign a predefined Cloud role (for example, ) for a
project when using for the same project. The custom role assignment implicitly grants
Viewer-level Cloud access. Adding a predefined role on top widens the user's in-project permissions beyond what the
custom role intended.
- If a custom role exists but the user cannot access the project, verify the role was assigned with
(which uses in the Cloud API). Creating a custom role alone does not grant project access — the
Cloud API assignment is required.
- For network-level security (traffic filters, private links), see the cloud-network-security skill.
- For ES-level role management beyond Cloud roles (native users, DLS/FLS), see elasticsearch-authz.