Create Serverless Project
Create Elastic Cloud Serverless projects using the Serverless REST API. Use the
skill for day-2
operations like listing, updating, or deleting projects.
Prerequisites and permissions
- Ensure is configured. If not, run skill first.
- Creating projects requires a Cloud API key with Admin or Organization owner role.
- This skill does not perform a separate role pre-check. Attempt the requested operation and let the API enforce
authorization. If the API returns an authorization error (for example, ), stop and ask the user to
verify the provided API key permissions.
Manual setup fallback (when is unavailable)
If this skill is installed standalone and
is not available, instruct the user to configure Cloud
environment variables manually before running commands. Never ask the user to paste API keys in chat.
| Variable | Required | Description |
|---|
| Yes | Elastic Cloud API key used for project creation operations. |
| No | Cloud API base URL (default: https://api.elastic-cloud.com
|
Note: If
is missing, or the user does not have a Cloud API key yet, direct the user to generate one
at
Elastic Cloud API keys, then configure it locally using the steps below.
Preferred method (agent-friendly): create a
file in the project root:
bash
EC_API_KEY=your-api-key
EC_BASE_URL=https://api.elastic-cloud.com
All
scripts auto-load
from the working directory.
Alternative: export directly in the terminal:
bash
export EC_API_KEY="<your-cloud-api-key>"
export EC_BASE_URL="https://api.elastic-cloud.com"
Terminal exports may not be visible to sandboxed agents running in separate shell sessions, so prefer
when using
an agent.
Critical principles
- Never display secrets in chat. Do not echo, log, or repeat API keys, passwords, or credentials in conversation
messages or agent thinking. Direct the user to the file instead. The admin password must
never appear in chat history, thinking traces, or agent output.
- Confirm before creating. Always present the project configuration to the user and ask for confirmation before
running the creation script.
- Admin credentials are for API key creation only. The script saves the password to
for bootstrapping a scoped API key. The user has full privileges and cannot be modified in serverless. Never
use admin credentials for direct Elasticsearch operations (querying, indexing, etc.) — always create a scoped API key
first (see Step 8). The command excludes admin credentials by default — use
only during Step 7/8, then reload without it once the API key is created. Never read or display the contents of
in chat.
- Recover lost credentials. If the script fails to write (disk full, permissions, etc.), the
save may be incomplete. Check for the password first. If missing, use the
skill's command to generate a new password.
- Region is permanent. A project's region cannot be changed after creation.
- Prefer automatic readiness checks. Pass to the creation script so it polls until the phase changes from
to . Only fall back to manually polling the status endpoint if is unavailable.
Project types
| Type | Description | Key endpoints |
|---|
| Search, analytics, and vector workloads | Elasticsearch, Kibana |
| Logs, metrics, traces, and APM | Elasticsearch, Kibana, APM, OTLP |
| SIEM, endpoint protection, cloud security | Elasticsearch, Kibana, OTLP |
Project type inference
Map the user's request to the correct
value:
| User says | |
|---|
| "search project", "elasticsearch project", vector search | |
| "observability project", "o11y", logs, metrics, traces, APM | |
| "security project", "SIEM", detections, endpoint protection | |
Do
not silently default to any type. If the user does not specify a type, infer it from the conversation context
(for example, discussing log ingestion suggests
, discussing detections or SIEM suggests
,
discussing search or vector workloads suggests
). Always present the inferred type to the user and ask
for confirmation before proceeding. If context is insufficient to infer a type, ask the user to choose.
Product tiers
Observability and security projects support a
flag. Default to
unless the user explicitly
requests a different tier.
| Project type | Tier | Description |
|---|
| | Full observability suite (logs, metrics, traces, APM) |
| | Log management only |
| | Full security suite (SIEM, cloud, endpoint) |
| | Core SIEM only |
Elasticsearch projects do not have a product tier — use
instead.
Sensible defaults
Present these defaults to the user before creation. Ask if they want to use or change them:
Project type must be confirmed with the user — do not assume a default. See "Project type inference" above.
Always use
--optimized-for general_purpose
unless the user explicitly requests
. Do not proactively offer the
option.
If the user does not specify a name, ask for one — it is required.
Workflow: Create a project
text
Project Creation:
- [ ] Step 1: Verify API key is set
- [ ] Step 2: Present defaults and confirm with user
- [ ] Step 3: List available regions (optional)
- [ ] Step 4: Create the project
- [ ] Step 5: Save credentials and endpoints
- [ ] Step 6: Wait for project to initialize
- [ ] Step 7: Set environment variables
- [ ] Step 8: Recommend creating a scoped API key
Step 1: Verify API key is set
bash
echo "${EC_API_KEY:?Not set}"
If
is not set, run the
skill first to configure authentication and defaults.
Step 2: Present summary and confirm with user
Before presenting the summary, ensure the project type has been explicitly confirmed by the user. If no type was
specified, infer one from the conversation context and propose it. If the context is ambiguous, ask the user to choose
from
,
, or
.
Always show a confirmation summary before creating. Include different fields depending on project type:
Elasticsearch project:
text
Project Summary:
Type: elasticsearch
Name: my-project
Region: gcp-us-central1
Observability project:
text
Project Summary:
Type: observability
Name: my-project
Region: gcp-us-central1
Product tier: complete
Security project:
text
Project Summary:
Type: security
Name: my-project
Region: gcp-us-central1
Product tier: complete
Ask the user to confirm or override any values before proceeding.
Step 3: List available regions (optional)
bash
python3 skills/cloud/create-project/scripts/create-project.py list-regions
The output is grouped by cloud provider (AWS, Azure, GCP) and sorted alphabetically. Regions marked with
do not
support project creation.
Step 4: Create the project
bash
python3 skills/cloud/create-project/scripts/create-project.py create \
--type elasticsearch \
--name "my-project" \
--region gcp-us-central1 \
--optimized-for general_purpose \
--wait
Always pass
--optimized-for general_purpose
for Elasticsearch projects. Only use
if the user explicitly
requests it.
For observability and security projects, pass
unless the user explicitly requests a different
tier.
Always pass
so the script automatically polls until the project is ready.
Step 5: Save credentials and endpoints
The script automatically writes credentials to
in the working directory. The password is redacted
from the JSON output on stdout.
If saving succeeds, tell the user:
text
Credentials saved to .elastic-credentials — open that file to retrieve your password.
Do
not read, cat, or display the contents of
in chat.
If saving fails, the script prints an error to stderr. Check whether
exists and contains a
password (a partial write is possible). If the password is missing or the file does not exist, immediately run the
skill's
command to generate a new password.
The creation response also contains:
- Project ID — needed for all subsequent operations
- Cloud ID — for client libraries
- Elasticsearch and Kibana endpoints — safe to display in chat
The admin credentials are for initial bootstrap only. Recommend creating a scoped API key for ongoing access (Step 8).
Step 6: Wait for project to initialize
When
is passed (recommended), the script polls automatically until the project phase becomes
. No
manual polling is needed.
If the agent ran without
, poll manually:
bash
python3 skills/cloud/create-project/scripts/create-project.py status \
--type elasticsearch \
--id <project-id>
Repeat until
changes from
to
.
Step 7: Set environment variables
The creation script saves credentials and endpoints to
with the project name in the header. Load
them into the current shell
with so admin credentials are available for API key creation in Step
8:
bash
eval $(python3 skills/cloud/manage-project/scripts/manage-project.py load-credentials \
--name "<project-name>" --include-admin)
This sets
,
, any project-type specific endpoints (
,
), and the
admin
/
needed to bootstrap an API key.
Step 8: Create a scoped API key
The
user has full privileges and cannot be modified in serverless projects.
Do not proceed with Elasticsearch
operations using admin credentials. Create a scoped Elasticsearch API key with only the permissions the user needs.
If the
skill is available, use it for API key creation — it covers the full lifecycle (create,
grant, invalidate, query) and handles scoping privileges correctly. If the skill is not installed, ask the user to
either install it or create the API key manually through
Kibana > Stack Management > API keys. After creation, save
the API key to
using the project-specific header format (see
skill's "Credential
file format" section), then reload
without to drop admin credentials from the environment:
bash
eval $(python3 skills/cloud/manage-project/scripts/manage-project.py load-credentials \
--name "<project-name>")
Examples
Create an Elasticsearch project with defaults
bash
python3 skills/cloud/create-project/scripts/create-project.py create \
--type elasticsearch \
--name "my-search-project" \
--region gcp-us-central1 \
--optimized-for general_purpose \
--wait
Create an observability project
bash
python3 skills/cloud/create-project/scripts/create-project.py create \
--type observability \
--name "prod-o11y" \
--region aws-eu-west-1 \
--product-tier complete \
--wait
Create a security project
bash
python3 skills/cloud/create-project/scripts/create-project.py create \
--type security \
--name "siem-prod" \
--region gcp-us-central1 \
--product-tier complete \
--wait
Guidelines
- Run the skill first if is not set.
- Always confirm the project configuration with the user before creating.
- Never display passwords or API keys in chat. Direct the user to .
- Never silently default to a project type. Infer from context and confirm with the user.
- Default to optimization. Only use if the user explicitly requests it.
- Default to product tier for observability and security projects. Only use or
if the user explicitly requests it.
- Always pass so the script polls until the project is ready.
- If credential saving fails, immediately reset credentials using the skill.
- After creation, recommend creating a scoped API key instead of relying on admin credentials.
- Region cannot be changed after creation — confirm the choice before proceeding.
Script reference
| Command | Description |
|---|
| Create a new serverless project |
| Get project initialization status |
| List available regions |
| Flag | Commands | Description |
|---|
| create, status | Project type: , , |
| create | Project name (required) |
| create | Region ID (default: ) |
| status | Project ID |
| create | Elasticsearch subtype: or |
| create | Observability/security tier (see "Product tiers" section) |
| create | Poll until project is initialized before exiting |
Environment variables
| Variable | Required | Description |
|---|
| Yes | Elastic Cloud API key |
| No | Cloud API base URL (default: https://api.elastic-cloud.com
|
| Output | Elasticsearch URL (loaded via after creation) |
| Output | Kibana URL (loaded via after creation) |
| Output | APM endpoint (observability projects only) |
| Output | OTLP ingest endpoint (observability and security projects) |
| Output | Elasticsearch API key (created in Step 8, loaded via ) |
Additional resources
- For full API details, request/response schemas, and project-type options, see
references/api-reference.md