Elastic Cloud 无服务器项目创建指南：使用 cloud-create-project 技能

cloud-create-project by elastic/agent-skills

207 周安装量

306 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/elastic/agent-skills --skill cloud-create-project

自动化云服务开发运维

🇨🇳中文介绍

创建无服务器项目

使用 Serverless REST API 创建 Elastic Cloud 无服务器项目。使用 cloud-manage-project 技能进行日常运维操作，例如列出、更新或删除项目。

前提条件和权限

确保已配置 EC_API_KEY。如果未配置，请先运行 cloud-setup 技能。
创建项目需要一个具有 管理员 或 组织所有者 角色的 Cloud API 密钥。
此技能不执行单独的角色预检查。尝试请求的操作，让 API 强制执行授权。如果 API 返回授权错误（例如 403 Forbidden），请停止并让用户验证所提供的 API 密钥权限。

手动设置回退方案（当 `cloud-setup` 不可用时）

如果此技能是独立安装且 cloud-setup 不可用，请指导用户在运行命令前手动配置 Cloud 环境变量。切勿要求用户在聊天中粘贴 API 密钥。

变量	必需

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

类型	描述	关键端点
`elasticsearch`	搜索、分析和向量工作负载	Elasticsearch, Kibana
`observability`	日志、指标、追踪和 APM	Elasticsearch, Kibana, APM, OTLP
`security`	SIEM、端点保护、云安全	Elasticsearch, Kibana, OTLP

用户表述	`--type`
"搜索项目"、"elasticsearch 项目"、向量搜索	`elasticsearch`
"可观测性项目"、"o11y"、日志、指标、追踪、APM	`observability`
"安全项目"、"SIEM"、检测、端点保护	`security`

项目类型	层级	描述
`observability`	`complete`	完整的可观测性套件（日志、指标、追踪、APM）
`observability`	`logs_essentials`	仅日志管理
`security`	`complete`	完整的安全套件（SIEM、云、端点）
`security`	`essentials`	仅核心 SIEM

设置项	默认值
区域	`gcp-us-central1`

工作流程：创建项目

项目创建：
- [ ] 步骤 1：验证 API 密钥是否已设置
- [ ] 步骤 2：向用户展示默认值并确认
- [ ] 步骤 3：列出可用区域（可选）
- [ ] 步骤 4：创建项目
- [ ] 步骤 5：保存凭据和端点
- [ ] 步骤 6：等待项目初始化
- [ ] 步骤 7：设置环境变量
- [ ] 步骤 8：建议创建作用域 API 密钥

步骤 1：验证 API 密钥是否已设置

echo "${EC_API_KEY:?Not set}"

如果 EC_API_KEY 未设置，请先运行 cloud-setup 技能来配置身份验证和默认值。

步骤 2：展示摘要并向用户确认

在展示摘要之前，确保项目类型已得到用户的明确确认。如果未指定类型，请根据对话上下文推断一个并提出建议。如果上下文不明确，请让用户从 elasticsearch、observability 或 security 中选择。

在创建之前始终显示确认摘要。根据项目类型包含不同的字段：

Elasticsearch 项目：

项目摘要：
  类型：          elasticsearch
  名称：          my-project
  区域：          gcp-us-central1

可观测性项目：

项目摘要：
  类型：          observability
  名称：          my-project
  区域：          gcp-us-central1
  产品层级：      complete

项目摘要：
  类型：          security
  名称：          my-project
  区域：          gcp-us-central1
  产品层级：      complete

在继续之前，请用户确认或覆盖任何值。

步骤 3：列出可用区域（可选）

python3 skills/cloud/create-project/scripts/create-project.py list-regions

输出按云提供商（AWS、Azure、GCP）分组并按字母顺序排序。标有 * 的区域不支持项目创建。

步骤 4：创建项目

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type elasticsearch \
  --name "my-project" \
  --region gcp-us-central1 \
  --optimized-for general_purpose \
  --wait

对于 Elasticsearch 项目，始终传递 --optimized-for general_purpose。仅当用户明确请求时才使用 vector。

对于可观测性和安全项目，除非用户明确请求不同的层级，否则传递 --product-tier complete。

始终传递 --wait，以便脚本自动轮询直到项目就绪。

步骤 5：保存凭据和端点

脚本会自动将凭据写入工作目录中的 .elastic-credentials。密码在标准输出的 JSON 输出中被隐藏。

如果保存成功，请告知用户：

凭据已保存至 .elastic-credentials — 打开该文件以获取您的密码。

请不要在聊天中读取、cat 或显示 .elastic-credentials 的内容。

如果保存失败，脚本会将错误打印到 stderr。检查 .elastic-credentials 是否存在并包含密码（可能存在部分写入的情况）。如果密码缺失或文件不存在，请立即运行 cloud-manage-project 技能的 reset-credentials 命令以生成新密码。

创建响应还包含：

项目 ID — 所有后续操作都需要
Cloud ID — 用于客户端库
Elasticsearch 和 Kibana 端点 — 可以在聊天中安全显示

管理员凭据仅用于初始引导。建议为持续访问创建一个作用域 API 密钥（步骤 8）。

步骤 6：等待项目初始化

当传递了 --wait（推荐）时，脚本会自动轮询直到项目阶段变为 initialized。无需手动轮询。

如果代理在没有 --wait 的情况下运行，请手动轮询：

python3 skills/cloud/create-project/scripts/create-project.py status \
  --type elasticsearch \
  --id <project-id>

重复此操作直到 phase 从 initializing 变为 initialized。

步骤 7：设置环境变量

创建脚本将凭据和端点保存到 .elastic-credentials，并在文件头中包含项目名称。将它们加载到当前 shell 中时使用 --include-admin，以便在步骤 8 中创建 API 密钥时可以使用管理员凭据：

eval $(python3 skills/cloud/manage-project/scripts/manage-project.py load-credentials \
  --name "<project-name>" --include-admin)

这将设置 ELASTICSEARCH_URL、KIBANA_URL、任何项目类型特定的端点（APM_URL、INGEST_URL）以及引导 API 密钥所需的管理员 ELASTICSEARCH_USERNAME/ELASTICSEARCH_PASSWORD。

步骤 8：创建作用域 API 密钥

admin 用户拥有完全权限，并且在无服务器项目中无法修改。请勿使用管理员凭据继续进行 Elasticsearch 操作。 创建一个仅具有用户所需权限的作用域 Elasticsearch API 密钥。

如果 elasticsearch-authn 技能可用，请使用它来创建 API 密钥——它涵盖了完整的生命周期（创建、授权、失效、查询）并能正确处理权限作用域。如果该技能未安装，请要求用户要么安装它，要么通过 Kibana > 堆栈管理 > API 密钥 手动创建 API 密钥。创建后，使用项目特定的文件头格式将 API 密钥保存到 .elastic-credentials（参见 manage-project 技能的"凭据文件格式"部分），然后重新加载时不使用 --include-admin 以从环境中移除管理员凭据：

eval $(python3 skills/cloud/manage-project/scripts/manage-project.py load-credentials \
  --name "<project-name>")

使用默认值创建 Elasticsearch 项目

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type elasticsearch \
  --name "my-search-project" \
  --region gcp-us-central1 \
  --optimized-for general_purpose \
  --wait

创建可观测性项目

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type observability \
  --name "prod-o11y" \
  --region aws-eu-west-1 \
  --product-tier complete \
  --wait

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type security \
  --name "siem-prod" \
  --region gcp-us-central1 \
  --product-tier complete \
  --wait

如果 EC_API_KEY 未设置，请先运行 cloud-setup 技能。
在创建之前，始终与用户确认项目配置。
切勿在聊天中显示密码或 API 密钥。引导用户查看 .elastic-credentials。
切勿静默默认选择项目类型。根据上下文推断并与用户确认。
默认使用 general_purpose 优化。仅当用户明确请求时才使用 vector。
对于可观测性和安全项目，默认使用 complete 产品层级。仅当用户明确请求时才使用 logs_essentials 或 essentials。
始终传递 --wait，以便脚本轮询直到项目就绪。
如果凭据保存失败，请立即使用 cloud-manage-project 技能重置凭据。
创建后，建议创建作用域 API 密钥，而不是依赖管理员凭据。
区域在创建后无法更改——在继续之前确认选择。

命令	描述
`create`	创建新的无服务器项目
`status`	获取项目初始化状态
`list-regions`	列出可用区域
标志	命令
---	---
`--type`	create, status
`--name`	create
`--region`	create
`--id`	status
`--optimized-for`	create
`--product-tier`	create
`--wait`	create

变量	必需	描述
`EC_API_KEY`	是	Elastic Cloud API 密钥
`EC_BASE_URL`	否	Cloud API 基础 URL（默认：`https://api.elastic-cloud.com`）
`ELASTICSEARCH_URL`	输出	Elasticsearch URL（创建后通过 `load-credentials` 加载）
`KIBANA_URL`	输出	Kibana URL（创建后通过 `load-credentials` 加载）
`APM_URL`	输出	APM 端点（仅限可观测性项目）
`INGEST_URL`	输出	OTLP 摄入端点（可观测性和安全项目）
`ELASTICSEARCH_API_KEY`	输出	Elasticsearch API 密钥（在步骤 8 中创建，通过 `load-credentials` 加载）

有关完整的 API 详情、请求/响应模式以及项目类型选项，请参阅 references/api-reference.md

🇺🇸English

Create Serverless Project

Create Elastic Cloud Serverless projects using the Serverless REST API. Use the cloud-manage-project skill for day-2 operations like listing, updating, or deleting projects.

Prerequisites and permissions

Ensure EC_API_KEY is configured. If not, run cloud-setup skill first.
Creating projects requires a Cloud API key with Admin or Organization owner role.
This skill does not perform a separate role pre-check. Attempt the requested operation and let the API enforce authorization. If the API returns an authorization error (for example, 403 Forbidden), stop and ask the user to verify the provided API key permissions.

Manual setup fallback (when `cloud-setup` is unavailable)

If this skill is installed standalone and cloud-setup is not available, instruct the user to configure Cloud environment variables manually before running commands. Never ask the user to paste API keys in chat.

Variable	Required	Description
`EC_API_KEY`	Yes	Elastic Cloud API key used for project creation operations.
`EC_BASE_URL`	No	Cloud API base URL (default: `https://api.elastic-cloud.com`).

Note: If EC_API_KEY is missing, or the user does not have a Cloud API key yet, direct the user to generate one at Elastic Cloud API keys, then configure it locally using the steps below.

Preferred method (agent-friendly): create a .env file in the project root:

EC_API_KEY=your-api-key
EC_BASE_URL=https://api.elastic-cloud.com

All cloud/* scripts auto-load .env from the working directory.

Alternative: export directly in the terminal:

export EC_API_KEY="<your-cloud-api-key>"
export EC_BASE_URL="https://api.elastic-cloud.com"

Terminal exports may not be visible to sandboxed agents running in separate shell sessions, so prefer .env when using an agent.

Critical principles

Never display secrets in chat. Do not echo, log, or repeat API keys, passwords, or credentials in conversation messages or agent thinking. Direct the user to the .elastic-credentials file instead. The admin password must never appear in chat history, thinking traces, or agent output.
Confirm before creating. Always present the project configuration to the user and ask for confirmation before running the creation script.
Admin credentials are for API key creation only. The script saves the admin password to .elastic-credentials for bootstrapping a scoped API key. The admin user has full privileges and cannot be modified in serverless. Never use admin credentials for direct Elasticsearch operations (querying, indexing, etc.) — always create a scoped API key first (see Step 8). The load-credentials command excludes admin credentials by default — use --include-admin only during Step 7/8, then reload without it once the API key is created. Never read or display the contents of .elastic-credentials in chat.

Project types

Type	Description	Key endpoints
`elasticsearch`	Search, analytics, and vector workloads	Elasticsearch, Kibana
`observability`	Logs, metrics, traces, and APM	Elasticsearch, Kibana, APM, OTLP
`security`	SIEM, endpoint protection, cloud security	Elasticsearch, Kibana, OTLP

Project type inference

Map the user's request to the correct --type value:

User says	`--type`
"search project", "elasticsearch project", vector search	`elasticsearch`
"observability project", "o11y", logs, metrics, traces, APM	`observability`
"security project", "SIEM", detections, endpoint protection	`security`

Do not silently default to any type. If the user does not specify a type, infer it from the conversation context (for example, discussing log ingestion suggests observability, discussing detections or SIEM suggests security, discussing search or vector workloads suggests elasticsearch). Always present the inferred type to the user and ask for confirmation before proceeding. If context is insufficient to infer a type, ask the user to choose.

Product tiers

Observability and security projects support a --product-tier flag. Default to complete unless the user explicitly requests a different tier.

Project type	Tier	Description
`observability`	`complete`	Full observability suite (logs, metrics, traces, APM)
`observability`	`logs_essentials`	Log management only
`security`	`complete`	Full security suite (SIEM, cloud, endpoint)
`security`

Elasticsearch projects do not have a product tier — use --optimized-for instead.

Sensible defaults

Present these defaults to the user before creation. Ask if they want to use or change them:

Setting	Default
Region	`gcp-us-central1`

Project type must be confirmed with the user — do not assume a default. See "Project type inference" above.

Always use --optimized-for general_purpose unless the user explicitly requests vector. Do not proactively offer the vector option.

If the user does not specify a name, ask for one — it is required.

Workflow: Create a project

Project Creation:
- [ ] Step 1: Verify API key is set
- [ ] Step 2: Present defaults and confirm with user
- [ ] Step 3: List available regions (optional)
- [ ] Step 4: Create the project
- [ ] Step 5: Save credentials and endpoints
- [ ] Step 6: Wait for project to initialize
- [ ] Step 7: Set environment variables
- [ ] Step 8: Recommend creating a scoped API key

Step 1: Verify API key is set

echo "${EC_API_KEY:?Not set}"

If EC_API_KEY is not set, run the cloud-setup skill first to configure authentication and defaults.

Step 2: Present summary and confirm with user

Before presenting the summary, ensure the project type has been explicitly confirmed by the user. If no type was specified, infer one from the conversation context and propose it. If the context is ambiguous, ask the user to choose from elasticsearch, observability, or security.

Always show a confirmation summary before creating. Include different fields depending on project type:

Elasticsearch project:

Project Summary:
  Type:          elasticsearch
  Name:          my-project
  Region:        gcp-us-central1

Observability project:

Project Summary:
  Type:          observability
  Name:          my-project
  Region:        gcp-us-central1
  Product tier:  complete

Security project:

Project Summary:
  Type:          security
  Name:          my-project
  Region:        gcp-us-central1
  Product tier:  complete

Ask the user to confirm or override any values before proceeding.

Step 3: List available regions (optional)

python3 skills/cloud/create-project/scripts/create-project.py list-regions

The output is grouped by cloud provider (AWS, Azure, GCP) and sorted alphabetically. Regions marked with * do not support project creation.

Step 4: Create the project

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type elasticsearch \
  --name "my-project" \
  --region gcp-us-central1 \
  --optimized-for general_purpose \
  --wait

Always pass --optimized-for general_purpose for Elasticsearch projects. Only use vector if the user explicitly requests it.

For observability and security projects, pass --product-tier complete unless the user explicitly requests a different tier.

Always pass --wait so the script automatically polls until the project is ready.

Step 5: Save credentials and endpoints

The script automatically writes credentials to .elastic-credentials in the working directory. The password is redacted from the JSON output on stdout.

If saving succeeds , tell the user:

Credentials saved to .elastic-credentials — open that file to retrieve your password.

Do not read, cat, or display the contents of .elastic-credentials in chat.

If saving fails , the script prints an error to stderr. Check whether .elastic-credentials exists and contains a password (a partial write is possible). If the password is missing or the file does not exist, immediately run the cloud-manage-project skill's reset-credentials command to generate a new password.

The creation response also contains:

Project ID — needed for all subsequent operations
Cloud ID — for client libraries
Elasticsearch and Kibana endpoints — safe to display in chat

The admin credentials are for initial bootstrap only. Recommend creating a scoped API key for ongoing access (Step 8).

Step 6: Wait for project to initialize

When --wait is passed (recommended), the script polls automatically until the project phase becomes initialized. No manual polling is needed.

If the agent ran without --wait, poll manually:

python3 skills/cloud/create-project/scripts/create-project.py status \
  --type elasticsearch \
  --id <project-id>

Repeat until phase changes from initializing to initialized.

Step 7: Set environment variables

The creation script saves credentials and endpoints to .elastic-credentials with the project name in the header. Load them into the current shell with--include-admin so admin credentials are available for API key creation in Step 8:

eval $(python3 skills/cloud/manage-project/scripts/manage-project.py load-credentials \
  --name "<project-name>" --include-admin)

This sets ELASTICSEARCH_URL, KIBANA_URL, any project-type specific endpoints (APM_URL, INGEST_URL), and the admin ELASTICSEARCH_USERNAME/ELASTICSEARCH_PASSWORD needed to bootstrap an API key.

Step 8: Create a scoped API key

The admin user has full privileges and cannot be modified in serverless projects. Do not proceed with Elasticsearch operations using admin credentials. Create a scoped Elasticsearch API key with only the permissions the user needs.

If the elasticsearch-authn skill is available, use it for API key creation — it covers the full lifecycle (create, grant, invalidate, query) and handles scoping privileges correctly. If the skill is not installed, ask the user to either install it or create the API key manually through Kibana > Stack Management > API keys. After creation, save the API key to .elastic-credentials using the project-specific header format (see manage-project skill's "Credential file format" section), then reload without--include-admin to drop admin credentials from the environment:

eval $(python3 skills/cloud/manage-project/scripts/manage-project.py load-credentials \
  --name "<project-name>")

Examples

Create an Elasticsearch project with defaults

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type elasticsearch \
  --name "my-search-project" \
  --region gcp-us-central1 \
  --optimized-for general_purpose \
  --wait

Create an observability project

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type observability \
  --name "prod-o11y" \
  --region aws-eu-west-1 \
  --product-tier complete \
  --wait

Create a security project

python3 skills/cloud/create-project/scripts/create-project.py create \
  --type security \
  --name "siem-prod" \
  --region gcp-us-central1 \
  --product-tier complete \
  --wait

Guidelines

Run the cloud-setup skill first if EC_API_KEY is not set.
Always confirm the project configuration with the user before creating.
Never display passwords or API keys in chat. Direct the user to .elastic-credentials.
Never silently default to a project type. Infer from context and confirm with the user.
Default to general_purpose optimization. Only use vector if the user explicitly requests it.
Default to complete product tier for observability and security projects. Only use logs_essentials or essentials if the user explicitly requests it.
Always pass --wait so the script polls until the project is ready.

Script reference

Command	Description
`create`	Create a new serverless project
`status`	Get project initialization status
`list-regions`	List available regions
Flag	Commands
---	---
`--type`	create, status
`--name`	create
`--region`

Environment variables

Variable	Required	Description
`EC_API_KEY`	Yes	Elastic Cloud API key
`EC_BASE_URL`	No	Cloud API base URL (default: `https://api.elastic-cloud.com`)
`ELASTICSEARCH_URL`	Output	Elasticsearch URL (loaded via `load-credentials` after creation)
`KIBANA_URL`	Output

Additional resources

For full API details, request/response schemas, and project-type options, see references/api-reference.md

Weekly Installs

123

Repository

elastic/agent-skills

GitHub Stars

First Seen

11 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

cursor109

github-copilot101

opencode100

gemini-cli100

codex100

amp100

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

138,800 周安装

Recover lost credentials. If the script fails to write .elastic-credentials (disk full, permissions, etc.), the save may be incomplete. Check .elastic-credentials for the password first. If missing, use the cloud-manage-project skill's reset-credentials command to generate a new password.

Region is permanent. A project's region cannot be changed after creation.

Prefer automatic readiness checks. Pass --wait to the creation script so it polls until the phase changes from initializing to initialized. Only fall back to manually polling the status endpoint if --wait is unavailable.

If credential saving fails, immediately reset credentials using the cloud-manage-project skill.

After creation, recommend creating a scoped API key instead of relying on admin credentials.

Region cannot be changed after creation — confirm the choice before proceeding.

`EC_API_KEY`	是	用于项目创建操作的 Elastic Cloud API 密钥。
`EC_BASE_URL`	否	Cloud API 基础 URL（默认：`https://api.elastic-cloud.com`）。