Cloud Access Management
Manage Elastic Cloud organization members, role assignments, Cloud API keys, and serverless Elasticsearch custom roles via documented API flows.
Overview
cloud-access-management is an agent skill most often used in Operate (also Build integrations) that governs Elastic Cloud and serverless Elasticsearch access via Organization, Role, and API key APIs.
Install
npx skills add https://github.com/elastic/agent-skills --skill cloud-access-managementWhat is this skill?
- Elastic Cloud API v1 base `https://api.elastic-cloud.com/api/v1` with `Authorization: ApiKey $EC_API_KEY`
- Organization discovery, member invites, pending invitations, and member removal flows
- Role assignments including custom roles via `application_roles`
- Cloud API key create, list, and delete operations
- Serverless Elasticsearch Security API for custom role CRUD with `manage_security` privileges
- Elastic Cloud REST base path api/v1 documented in skill
- Five major API areas: organization discovery, members, role assignments, Cloud API keys, serverless custom roles
Adoption & trust: 932 installs on skills.sh; 502 GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
You run on Elastic Cloud but lack a structured way to invite users, assign roles, and manage API keys without guessing REST paths and headers.
Who is it for?
Solo builders or tiny teams administering Elastic Cloud orgs and serverless projects with API keys and custom Elasticsearch roles.
Skip if: Non-Elastic clouds, app feature development without cloud IAM needs, or beginners without an Elastic Cloud account and API key.
When should I use this skill?
When managing Elastic Cloud organization access, invitations, role assignments, Cloud API keys, or serverless Elasticsearch custom roles.
What do I get? / Deliverables
Documented API sequences produce consistent org membership, role assignments, and key lifecycle on Elastic Cloud and serverless ES.
- API call sequences for member and role changes
- Documented API key lifecycle operations
- Custom role definitions on serverless Elasticsearch
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Access control for Elastic Cloud is a production operations concern once projects exist, though teams also touch it during initial cloud wiring. IAM-style org membership, invitations, API keys, and security roles are infrastructure and access-plane tasks on Elastic Cloud.
Where it fits
Script initial Elastic Cloud API key creation before your app talks to a serverless Elasticsearch endpoint.
Audit and delete stale Cloud API keys before a public launch milestone.
Remove a contractor’s org membership and strip role assignments after a project ends.
How it compares
Elastic Cloud IAM API reference skill—not a generic secrets manager or unrelated DevOps bootstrap.
Common Questions / FAQ
Who is cloud-access-management for?
Indie operators and agents managing Elastic Cloud organizations, memberships, and Elasticsearch security roles on serverless projects.
When should I use cloud-access-management?
Use it in Operate (infra) when rotating keys or removing members; in Build (integrations) when first wiring Elastic Cloud auth into your deployment scripts.
Is cloud-access-management safe to install?
It describes privileged Cloud and security APIs—review the Security Audits panel on this Prism page and never paste production API keys into untrusted agents.
SKILL.md
READMESKILL.md - Cloud Access Management
# Cloud Access Management — API Reference All Cloud API calls use base URL `https://api.elastic-cloud.com/api/v1` and require the header `Authorization: ApiKey $EC_API_KEY`. Serverless ES API calls use the project Elasticsearch endpoint and require either basic auth or an Elasticsearch API key with `manage_security` privileges. ## Table of Contents - [Organization Discovery](#organization-discovery) - [Organization Members](#organization-members) - [List members](#list-members) - [Invite users](#invite-users) - [List pending invitations](#list-pending-invitations) - [Cancel invitations](#cancel-invitations) - [Remove members](#remove-members) - [Role Assignments](#role-assignments) - [Add role assignments to a user](#add-role-assignments-to-a-user) - [Role assignments schema](#role-assignments-schema) - [Assign a custom role using application_roles](#assign-a-custom-role-using-application_roles) - [Remove role assignments](#remove-role-assignments) - [Cloud API Keys](#cloud-api-keys) - [Create an API key](#create-an-api-key) - [List all API keys](#list-all-api-keys) - [Delete API keys](#delete-api-keys) - [Serverless Custom Roles (Elasticsearch Security API)](#serverless-custom-roles-elasticsearch-security-api) - [Create or update a custom role](#create-or-update-a-custom-role) - [Get a custom role](#get-a-custom-role) - [List all roles](#list-all-roles) - [Delete a custom role](#delete-a-custom-role) --- ## Organization Discovery > **Official API docs:** > [List organizations](https://www.elastic.co/docs/api/doc/cloud/operation/operation-list-organizations) ### Get organizations ```text GET /organizations ``` Returns the list of organizations the authenticated user belongs to. Use to auto-discover `organization_id`. ```bash curl -s -H "Authorization: ApiKey $EC_API_KEY" \ "https://api.elastic-cloud.com/api/v1/organizations" ``` **Response** (200): ```json { "organizations": [ { "id": "org-uuid-here", "name": "My Organization" } ] } ``` --- ## Organization Members > **Official API docs:** > [List members](https://www.elastic.co/docs/api/doc/cloud/operation/operation-list-organization-members) · > [Invite users](https://www.elastic.co/docs/api/doc/cloud/operation/operation-create-organization-invitations) · > [List invitations](https://www.elastic.co/docs/api/doc/cloud/operation/operation-list-organization-invitations) · > [Delete invitations](https://www.elastic.co/docs/api/doc/cloud/operation/operation-delete-organization-invitations) · > [Remove members](https://www.elastic.co/docs/api/doc/cloud/operation/operation-delete-organization-memberships) ### List members ```text GET /organizations/{organization_id}/members ``` ```bash curl -s -H "Authorization: ApiKey $EC_API_KEY" \ "https://api.elastic-cloud.com/api/v1/organizations/$ORG_ID/members" ``` **Response** (200): ```json { "members": [ { "user_id": "user-uuid", "email": "alice@example.com", "name": "Alice", "role_assignments": { ... } } ] } ``` | Status | Meaning | | ------ | --------------------------- | | 200 | Members listed successfully | | 404 | Organization not found | ### Invite users ```text POST /organizations/{organization_id}/invitations ``` ```bash curl -s -X POST \ -H "Authorization: ApiKey $EC_API_KEY" \ -H "Content-Type: application/json" \ "https://api.elastic-cloud.com/api/v1/organizations/$ORG_ID/invitations" \ -d '{ "emails": ["alice@example.com", "bob@example.com"], "expires_in": "3d", "role_assignments": { "organization": [ { "role_id": "billing-admin" } ], "deployment": [ { "role_id": "deployment-viewer", "organization_id": "'"$ORG_ID"'", "all": true } ] } }' ``` **Request body fields:** | Field | Type | Required | Description