elastic · jsoriano · Jun 10, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
@@ -66,6 +66,8 @@ func TestValidateFile(t *testing.T) {
 		"logs_synthetic_mode":                    {},
 		"kibana_configuration_links":             {},
 		"with_links":                             {},
+		"good_provider_permissions":              {},
+		"good_provider_permissions_input":        {},
 		"bad_duration_vars": {
 			"manifest.yml",
 			[]string{
@@ -246,6 +248,30 @@ func TestValidateFile(t *testing.T) {
 				"\"Dashboard with mixed by-value visualizations\" contains legacy visualization: \"Timelion time series\" (timelion, Timelion)",
 			},
 		},
+		"bad_provider_permissions": {
+			"manifest.yml",
+			[]string{
+				`field provider_permissions.0: provider is required`,
+			},
+		},
+		"bad_provider_permissions_old_version": {
+			"manifest.yml",
+			[]string{
+				`field (root): Additional property provider_permissions is not allowed`,
+			},
+		},
+		"bad_provider_permissions_missing_name": {
+			"manifest.yml",
+			[]string{
+				`field provider_permissions.0.permissions.0: name is required`,
+			},
+		},
+		"bad_provider_permissions_extra_field": {
+			"manifest.yml",
+			[]string{
+				`field provider_permissions.0.permissions.0: Additional property resources is not allowed`,
+			},
+		},
 		"bad_deployment_mode": {
 			"manifest.yml",
 			[]string{

@@ -8,6 +8,9 @@
     - description: Add support for semantic_text field definition.
       type: enhancement
       link: https://github.com/elastic/package-spec/pull/807
+    - description: Add provider_permissions field to package, policy_template, input, and data_stream levels for declaring provider-specific permissions.
+      type: enhancement
+      link: https://github.com/elastic/package-spec/pull/0000
 - version: 3.6.3
   changes:
     - description: Add optional `release` field to agentless deployment mode to explicitly declare its release stage.

@@ -84,6 +84,8 @@ spec:
             $ref: "../integration/manifest.spec.yml#/definitions/var_groups"
           sections:
             $ref: "../integration/manifest.spec.yml#/definitions/sections"
+          provider_permissions:
+            $ref: "../integration/manifest.spec.yml#/definitions/provider_permissions"
           input:
             type: string
             examples:
@@ -146,6 +148,8 @@ spec:
       $ref: "../integration/manifest.spec.yml#/definitions/var_groups"
     sections:
       $ref: "../integration/manifest.spec.yml#/definitions/sections"
+    provider_permissions:
+      $ref: "../integration/manifest.spec.yml#/definitions/provider_permissions"
     owner:
       $ref: "../integration/manifest.spec.yml#/definitions/owner"
     agent:
@@ -172,6 +176,12 @@ spec:
 
 # JSON patches for newer versions should be placed on top
 versions:
+  - before: 3.7.0
+    patch:
+      - op: remove
+        path: "/properties/provider_permissions"
+      - op: remove
+        path: "/properties/policy_templates/items/properties/provider_permissions"
-  - before: 3.7.0
-    patch:
-      - op: remove
-        path: "/properties/provider_permissions"
-      - op: remove
-        path: "/properties/policy_templates/items/properties/provider_permissions"
-  - before: 3.7.0
-    patch:
-      - op: remove
-        path: "/properties/provider_permissions"
-      - op: remove
-        path: "/properties/policy_templates/items/properties/provider_permissions"
   - before: 3.6.0
     patch:
       - op: remove

@@ -706,10 +706,17 @@ spec:
       $ref: "../../integration/manifest.spec.yml#/definitions/categories"
     deprecated:
       $ref: "../../integration/manifest.spec.yml#/definitions/deprecated"
+    provider_permissions:
+      $ref: "../../integration/manifest.spec.yml#/definitions/provider_permissions"
   required:
   - title
 # JSON patches for newer versions should be placed on top
 versions:
+  - before: 3.7.0
+    patch:
+      # provider_permissions field for provider-specific permission declarations.
+      - op: remove
+        path: "/properties/provider_permissions"
-  - before: 3.7.0
-    patch:
-      # provider_permissions field for provider-specific permission declarations.
-      - op: remove
-        path: "/properties/provider_permissions"
-  - before: 3.7.0
-    patch:
-      # provider_permissions field for provider-specific permission declarations.
-      - op: remove
-        path: "/properties/provider_permissions"
   - before: 3.6.0
     patch:
       - op: add

@@ -736,6 +736,85 @@ spec:
       type: string
       examples:
         - httpjson
+    provider_permissions:
+      description: >
+        Permissions and roles this integration unit requires from the named provider.
+        May be declared at package, policy_template, input, and data_stream levels.
+      type: array
+      items:
+        type: object
+        additionalProperties: false
+        required:
+          - provider
+        properties:
+          provider:
+            description: >
+              Identifier of the provider these permissions apply to
+              (e.g. "aws", "gcp", "azure", "kubernetes", "okta").
-              (e.g. "aws", "gcp", "azure", "kubernetes", "okta").
-              (e.g. "aws", "gcp", "azure", "kubernetes", "okta").
+            type: string
+            examples:
+              - aws
+              - gcp
+              - azure
+              - kubernetes
+              - okta
+              - github
+          description:
+            description: Human-readable description of why these permissions are needed.
+            type: string
+          roles:
+            description: Pre-defined roles or managed policies to attach alongside inline permissions.
+            type: array
+            items:
+              type: object
+              additionalProperties: false
+              required:
+                - name
+              properties:
+                name:
+                  description: Display name of the role or managed policy.
+                  type: string
+                  examples:
+                    - SecurityAudit
+                    - Storage Blob Data Reader
+                    - roles/logging.viewer
+                    - cluster-reader
+                id:
+                  description: Provider-specific identifier for this role or managed policy.
+                  type: string
+                  examples:
+                    - arn:aws:iam::aws:policy/SecurityAudit
+                    - roles/storage.objectViewer
+                    - 2a2b9908-6ea1-4ae2-8e65-a410df84e7d1
+                description:
+                  description: Human-readable description of this role.
+                  type: string
+          permissions:
+            description: Individual permission grants required by this integration unit.
+            type: array
+            items:
+              type: object
+              additionalProperties: false
+              required:
+                - name
+              properties:
+                name:
+                  description: Provider-specific permission or action name.
+                  type: string
+                  examples:
+                    - s3:GetObject
+                    - ec2:DescribeInstances
+                    - storage.objects.get
+                    - monitoring.timeSeries.list
+                    - Microsoft.Compute/virtualMachines/read
+                    - Microsoft.Insights/metrics/read
+                    - pods:list
+                    - namespaces:get
+                    - okta.users.read
+                    - contents:read
+                description:
+                  description: Human-readable description of why this permission is needed.
+                  type: string
   properties:
     format_version:
       description: The version of the package specification format used by this package.
@@ -766,6 +845,8 @@ spec:
       $ref: "#/definitions/categories"
     conditions:
       $ref: "#/definitions/conditions"
+    provider_permissions:
+      $ref: "#/definitions/provider_permissions"
     # requires a conditional JSON schema to update the value depending
     # on the policy_templates length
     policy_templates_behavior:
@@ -903,6 +984,8 @@ spec:
                       type: string
                   examples:
                     - credential_type: [cloud_connectors]
+                provider_permissions:
+                  $ref: "#/definitions/provider_permissions"
               required:
                 - title
                 - description
@@ -923,6 +1006,8 @@ spec:
             $ref: "#/definitions/sections"
           deprecated:
             $ref: "#/definitions/deprecated"
+          provider_permissions:
+            $ref: "#/definitions/provider_permissions"
         required:
           - name
           - title
@@ -991,6 +1076,17 @@ spec:
 
 # JSON patches for newer versions should be placed on top
 versions:
+  - before: 3.7.0
+    patch:
+      # provider_permissions field for provider-specific permission declarations.
+      - op: remove
+        path: "/definitions/provider_permissions"
+      - op: remove
+        path: "/properties/provider_permissions"
+      - op: remove
+        path: "/properties/policy_templates/items/properties/provider_permissions"
+      - op: remove
+        path: "/properties/policy_templates/items/properties/inputs/items/properties/provider_permissions"
   - before: 3.6.0
     patch:
       # Input qualifier (named inputs).