[Request]: Update APM secure communications with Elasticsearch

[endorama]

Description

Built-in and deprecated since 8.x apm_user role has been removed from Elasticsearch, see elastic/elasticsearch#116712.

Without this role reading from index traces-apm.sampled, used in Tail Based Sampling, requires additional permissions.

To overcome this we need to update the documentation for APM feature role usage and API key usage to include the additional permissions. Another built-in role may be used (untested) or we could add a new role, apm_reader, with the additional permission to read from traces-apm.sampled index. This permission is needed when using the Tail Based Sampling functionality.

Resources

elastic/elasticsearch#116712
elastic/apm-server#14876

Which documentation set does this change impact?

Stateful only

Feature differences

n/a

What release is this request related to?

9.0

Collaboration model

The documentation team

Point of contact.

Main contact: @endorama

Stakeholders:

[bmorelli25]

Relevant docs:

1. Explanation/How to: https://www.elastic.co/guide/en/observability/current/apm-sampling.html
2. Config docs: https://www.elastic.co/guide/en/observability/current/apm-tail-based-samling-config.html
3. Feature role docs (no tail-based sampling examples): https://www.elastic.co/guide/en/observability/current/apm-feature-roles.html
4. API key docs: https://www.elastic.co/guide/en/observability/current/apm-beats-api-keys.html

We probably need to do both of the following to resolve this issue:

• Add documentation to both (1) and (2) explaining that enhanced privileges are required to use tail-based sampling.
• Add an example to both (3) and (4) of the newly required index-read permission on traces-apm.sampled.