After much experimentation (this was iteration #29, as you can see), this appears to be the minimum necessary permissions for the auth token, since I’m manually loading templates:
POST /_searchguard/authtoken
{
"name": "metricbeat-index-write-029",
"requested": {
"cluster_permissions": [
"cluster:admin/ilm/get",
"cluster:monitor/main",
"cluster:monitor/xpack/info",
"cluster:monitor/xpack/license/get",
"indices:data/write*"
],
"index_permissions": [
{
"index_patterns": [
"metricbeat-*"
],
"allowed_actions": [
"SGS_WRITE"
]
},
{
"index_patterns": ["*"],
"allowed_actions": [
"indices:admin/aliases/exists*",
"indices:admin/aliases/get*"
]
}
]
},
"expires_after": "1y"
}