elastic · ankit--sethi · Jul 1, 2025 · Jun 25, 2025 · Jun 27, 2025 · Jun 27, 2025
diff --git a/...ugin/core/src/main/java/org/elasticsearch/xpack/core/security/xcontent/XContentUtils.java b/...ugin/core/src/main/java/org/elasticsearch/xpack/core/security/xcontent/XContentUtils.java
@@ -112,9 +112,7 @@ public static void addAuthorizationInfo(final XContentBuilder builder, final Map
     private static void addSubjectInfo(XContentBuilder builder, Subject subject) throws IOException {
         switch (subject.getType()) {
             case USER -> builder.array(User.Fields.ROLES.getPreferredName(), subject.getUser().roles());
-            case API_KEY -> {
-                addApiKeyInfo(builder, subject);
-            }
+            case API_KEY -> addApiKeyInfo(builder, subject);
             case SERVICE_ACCOUNT -> builder.field("service_account", subject.getUser().principal());
             case CROSS_CLUSTER_ACCESS -> {
                 builder.startObject("cross_cluster_access");
@@ -129,7 +127,16 @@ private static void addSubjectInfo(XContentBuilder builder, Subject subject) thr
                 builder.endObject();
             }
             case CLOUD_API_KEY -> {
-                // TODO Add cloud API key information here
+                builder.startObject("cloud_api_key");
+                Map<String, Object> metadata = subject.getUser().metadata();
+                builder.field("id", subject.getUser().principal());
+                Object name = metadata.get(AuthenticationField.API_KEY_NAME_KEY);
+                if (name instanceof String) {
+                    builder.field("name", name);
+                }
+                builder.field("internal", metadata.get(AuthenticationField.API_KEY_INTERNAL_KEY));
+                builder.array(User.Fields.ROLES.getPreferredName(), subject.getUser().roles());
+                builder.endObject();
             }
         }
     }

diff --git a/...core/src/test/java/org/elasticsearch/xpack/core/security/xcontent/XContentUtilsTests.java b/...core/src/test/java/org/elasticsearch/xpack/core/security/xcontent/XContentUtilsTests.java
@@ -26,6 +26,7 @@
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_ID_KEY;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.API_KEY_NAME_KEY;
 import static org.elasticsearch.xpack.core.security.authc.AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
 
 public class XContentUtilsTests extends ESTestCase {
@@ -62,6 +63,13 @@ public void testAddAuthorizationInfoWithApiKey() throws IOException {
         assertThat(json, equalTo("{\"authorization\":{\"api_key\":{\"id\":\"" + apiKeyId + "\",\"name\":\"" + apiKeyName + "\"}}}"));
     }
 
+    public void testAddAuthorizationInfoWithCloudApiKey() throws IOException {
+        String apiKeyId = randomAlphaOfLength(20);
+        Authentication authentication = AuthenticationTestHelper.randomCloudApiKeyAuthentication(apiKeyId);
+        String json = generateJson(Map.of(AuthenticationField.AUTHENTICATION_KEY, authentication.encode()));
+        assertThat(json, containsString("{\"authorization\":{\"cloud_api_key\":{\"id\":\"" + apiKeyId + "\""));
+    }
+
     public void testAddAuthorizationInfoWithServiceAccount() throws IOException {
         String account = "elastic/" + randomFrom("kibana", "fleet-server");
         User user = new User(account);