Kibana convert api (#254299)

## Summary

Exposing UIAM API Key `convert` API to transform ES native API Keys into
UIAM API Keys
<img width="1754" height="671" alt="Screenshot 2026-02-26 at 11 26
45 PM"
src="https://github.com/user-attachments/assets/39d660b0-26ec-4595-b4b7-ad735a53b1b5"
/>


## Testing

Run Kibana & Elasticsearch in UIAM mode:

```shell
## Run Elasticsearch in UIAM mode
$ yarn es serverless --projectType observability --uiam

## Run Kibana in UIAM mode
$ yarn start --serverless=oblt --uiam
```

Create a native ES API Key (any will do!), copy the key value

Navigate to DevTools and call the `convert` endpoint that has been
exposed through MockIdP:
```
POST kbn:/mock_idp/uiam/convert_api_keys
{
  "keys": [
    "RmhXb2Nwd0JYNFNUSmFER291MGc6YzZmNHEzMVBoai0wNXZSMkhaNUh6UQ=="
  ]
}
```

Result:
```
{
  "results": [
    {
      "status": "success",
      "id": "0b6Q5cQ3QRCz7afNV5UsIA",
      "key": "essu_dev_djE6MGI2UTVjUTNRUkN6N2FmTlY1VXNJQToyN256a21YZU05bjhWWklqWEZ4ZTF5OStpNzNBa3BUTGNlMW8yQ2VLclhJPQAAAAAJQBl0",
      "organization_id": "org1234567890",
      "description": "kurt test key",
      "internal": true,
      "role_assignments": {
        "project": {
          "observability": [
            {
              "role_id": "observability-application-only",
              "organization_id": "org1234567890",
              "all": true,
              "application_roles": [
                "admin"
              ]
            }
          ]
        }
      },
      "creation_date": "2026-02-18T21:33:59.201099712Z"
    }
  ]
}
```

---------

Co-authored-by: Aleh Zasypkin <aleh.zasypkin@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>

Author: 3 people

packages/kbn-mock-idp-plugin/server/plugin.ts

@@ -357,6 +357,47 @@ export const plugin: PluginInitializer<void, void, PluginSetupDependencies> = as
           }
         }
       );
+
+      router.post(
+        {
+          path: '/mock_idp/uiam/convert_api_keys',
+          validate: {
+            body: schema.object({
+              keys: schema.arrayOf(schema.string(), { minSize: 1 }),
+            }),
+          },
+          options: { authRequired: 'optional' },
+          security: { authz: { enabled: false, reason: 'Mock IDP plugin for testing' } },
+        },
+        async (context, request, response) => {
+          try {
+            const { keys } = request.body;
+            const [
+              {
+                security: { authc },
+              },
+            ] = await core.getStartServices();
+
+            const result = await authc.apiKeys.uiam?.convert(keys);
+
+            if (!result) {
+              return response.badRequest({
+                body: { message: 'Failed to convert API keys' },
+              });
+            }
+
+            return response.ok({
+              body: result,
+            });
+          } catch (err) {
+            logger.error(`Failed to convert API keys via UIAM: ${err}`, err);
+            return response.customError({
+              statusCode: 500,
+              body: { message: err.message },
+            });
+          }
+        }
+      );
     },
     start() {},
     stop() {},

src/cli/serve/serve.js

@@ -474,6 +474,19 @@ function tryConfigureServerlessSamlProvider(rawConfig, opts, extraCliOptions) {
     if (!_.has(rawConfig, 'xpack.cloud.projects_url')) {
       lodashSet(rawConfig, 'xpack.cloud.projects_url', '');
     }
+
+    // The UIAM service needs a network-accessible ES URL to validate API keys during conversion.
+    // The security plugin decodes cloud.id to obtain this URL. In the local Docker setup,
+    // the UIAM container reaches ES via host.docker.internal on the host network.
+    if (!_.has(rawConfig, 'xpack.cloud.id')) {
+      lodashSet(
+        rawConfig,
+        'xpack.cloud.id',
+        // Decodes to: docker.internal:9200$host:9200$kibana:9200
+        // Producing ES URL: https://host.docker.internal:9200
+        'local-dev:ZG9ja2VyLmludGVybmFsOjkyMDAkaG9zdDo5MjAwJGtpYmFuYTo5MjAw'
+      );
+    }
   }
 
   return true;

src/cli/serve/serve.test.js

@@ -124,6 +124,7 @@ describe('applyConfigOverrides', () => {
       plugins: { paths: [] },
       xpack: {
         cloud: {
+          id: 'local-dev:ZG9ja2VyLmludGVybmFsOjkyMDAkaG9zdDo5MjAwJGtpYmFuYTo5MjAw',
           organization_id: 'org1234567890',
           projects_url: '',
           serverless: { project_id: 'abcdef12345678901234567890123456' },

src/core/packages/security/server-internal/src/security_route_handler_context.ts

@@ -43,6 +43,7 @@ export class CoreSecurityRouteHandlerContext implements SecurityRequestHandlerCo
                 grant: (grantUiamApiKeyParams) => uiam.grant(this.request, grantUiamApiKeyParams),
                 invalidate: (invalidateUiamApiKeyParams) =>
                   uiam.invalidate(this.request, invalidateUiamApiKeyParams),
+                convert: (convertUiamApiKeyParams) => uiam.convert(convertUiamApiKeyParams),
               }
             : null,
         },

src/core/packages/security/server-internal/src/utils/convert_security_api.test.ts

@@ -29,6 +29,7 @@ describe('convertSecurityApi', () => {
           uiam: {
             grant: jest.fn(),
             invalidate: jest.fn(),
+            convert: jest.fn(),
           },
         },
       },

src/core/packages/security/server-mocks/src/api_keys.mock.ts

@@ -24,6 +24,7 @@ export const apiKeysMock = {
       uiam: {
         grant: jest.fn(),
         invalidate: jest.fn(),
+        convert: jest.fn(),
       },
     }),
 };

src/core/packages/security/server-mocks/src/security_service.mock.ts

@@ -100,6 +100,7 @@ const createRequestHandlerContextMock = () => {
         uiam: {
           grant: jest.fn(),
           invalidate: jest.fn(),
+          convert: jest.fn(),
         },
       }),
     }),

src/core/packages/security/server/src/authentication/api_keys/index.ts

@@ -36,6 +36,10 @@ export type {
   UiamAPIKeysWithContextType,
   GrantUiamAPIKeyParams,
   InvalidateUiamAPIKeyParams,
+  ConvertUiamAPIKeyResult,
+  ConvertUiamAPIKeyResultSuccess,
+  ConvertUiamAPIKeyResultFailed,
+  ConvertUiamAPIKeysResponse,
 } from './uiam';
 
 export interface APIKeysType extends NativeAPIKeysType {

src/core/packages/security/server/src/authentication/api_keys/uiam/index.ts

@@ -11,5 +11,9 @@ export type {
   UiamAPIKeysType,
   GrantUiamAPIKeyParams,
   InvalidateUiamAPIKeyParams,
+  ConvertUiamAPIKeyResult,
+  ConvertUiamAPIKeyResultSuccess,
+  ConvertUiamAPIKeyResultFailed,
+  ConvertUiamAPIKeysResponse,
 } from './uiam_api_keys';
 export type { UiamAPIKeysWithContextType } from './uiam_api_keys_context';

src/core/packages/security/server/src/authentication/api_keys/uiam/uiam_api_keys.ts

@@ -38,6 +38,14 @@ export interface UiamAPIKeysType {
     request: KibanaRequest,
     params: InvalidateUiamAPIKeyParams
   ): Promise<InvalidateAPIKeyResult | null>;
+
+  /**
+   * Converts Elasticsearch API keys into UIAM API keys.
+   *
+   * @param keys The base64-encoded Elasticsearch API key values to convert.
+   * @returns A promise that resolves to a response containing per-key success/failure results, or null if the license is not enabled.
+   */
+  convert(keys: string[]): Promise<ConvertUiamAPIKeysResponse | null>;
 }
 
 /**
@@ -64,3 +72,43 @@ export interface InvalidateUiamAPIKeyParams {
    */
   id: string;
 }
+
+/**
+ * A successful result from converting an Elasticsearch API key into a UIAM API key.
+ */
+export interface ConvertUiamAPIKeyResultSuccess {
+  status: 'success';
+  id: string;
+  key: string;
+  description: string;
+  organization_id: string;
+  internal: boolean;
+  role_assignments: Record<string, unknown>;
+  creation_date: string;
+  expiration_date: string | null;
+}
+
+/**
+ * A failed result from converting an Elasticsearch API key into a UIAM API key.
+ */
+export interface ConvertUiamAPIKeyResultFailed {
+  status: 'failed';
+  code: string;
+  message: string;
+  resource: string | null;
+  type: string;
+}
+
+/**
+ * A single result entry from the convert API keys operation; either success or failure.
+ */
+export type ConvertUiamAPIKeyResult =
+  | ConvertUiamAPIKeyResultSuccess
+  | ConvertUiamAPIKeyResultFailed;
+
+/**
+ * Response from the UIAM convert API keys operation.
+ */
+export interface ConvertUiamAPIKeysResponse {
+  results: ConvertUiamAPIKeyResult[];
+}