elastic · lcawl · Sep 17, 2020 · Sep 15, 2020 · Sep 15, 2020 · Sep 17, 2020
diff --git a/x-pack/docs/en/rest-api/security/create-api-keys.asciidoc b/x-pack/docs/en/rest-api/security/create-api-keys.asciidoc
@@ -19,6 +19,10 @@ Creates an API key for access without requiring basic authentication.
 
 * To use this API, you must have at least the `manage_api_key` cluster privilege.
 
+IMPORTANT: If the credential that is used to authenticate this request is
+an API key, then the derived API key that is created cannot have any privileges.
+See the note under `role_descriptors`.
+
 [[security-api-create-api-key-desc]]
 ==== {api-description-title}
 
@@ -57,6 +61,12 @@ thereby limiting the access scope for API keys.
 The structure of role descriptor is the same as the request for create role API.
 For more details, see <<security-api-put-role, create or update roles API>>.
 
+NOTE: Due to the way in which this permission intersection is calculated, it is not
+possible to create an API key that is a child of another API key, unless the derived
+key is created without any privileges. In this case, you must explicitly specify a
+role descriptor with no privileges, and the derived API key can be used for
+authentication only, but will not have access to call {es} APIs.
+
 `expiration`::
 (Optional, string) Expiration time for the API key. By default, API keys never
 expire.