docs: Incorrect docs on standalone apm roles causing missing permissions on traces-apm.sampled data stream #18401
Description
APM Server version (apm-server version): confirmed on 8.19.2 but should affect many versions
Description of the problem including expected versus actual behavior:
expected: follow apm docs on setting up apm_writer and other roles, see no errors when using TBS
actual: follow apm docs on setting up apm_writer and other roles, see 403 permission error logs due to pubsub when using TBS
This docs bug need to be checked and fixed in both 8.x and 9.x. 9.x has a apm_tail_based_sampling role from PR elastic/docs-content#1065 but appears to be incomplete.
Steps to reproduce:
Please include a minimal but complete recreation of the problem,
including server configuration, agent(s) used, etc. The easier you make it
for us to reproduce it, the more likely that somebody will take the time to
look at it.
- follow 9.x docs and 8.19 docs to setup api key for standalone apm-server
- enable tbs
- observe for pubsub error logs from apm-server
Provide logs (if relevant):
"action [indices:monitor/stats] is unauthorized for user [apm_server] with effective roles [apm_writer] on indices [traces-apm.sampled-test], this action is granted by the index privileges [monitor,cross_cluster_replication,manage,all]"
action [indices:admin/refresh] is unauthorized for user [apm_server] with effective roles [apm_writer] on indices [.ds-traces-apm.sampled-test-2025.08.25-001441,.ds-traces-apm.sampled-test-2025.08.24-001433,.ds-traces-apm.sampled-test-2025.08.24-001435,.ds-traces-apm.sampled-test-2025.08.24-001437,.ds-traces-apm.sampled-test-2025.08.24-001439], this action is granted by the index privileges [maintenance,manage,all]"
action [indices:data/read/search] is unauthorized for user [apm_server] with effective roles [apm_writer] on indices [.ds-traces-apm.sampled-test-2025.08.24-001437], this action is granted by the index privileges [read,all]"