Fix apm agentcfg api key privileges (#4083)

Align with feature-roles.asciidoc

(cherry picked from commit b83fce4)

docs/en/observability/apm/access-api-keys.asciidoc

@@ -29,10 +29,11 @@ In the role descriptors box, assign the appropriate privileges to the new API ke
 ----
 {
     "apm_writer": {
+        "cluster": ["monitor"],
         "index": [
             {
-                "names": ["apm-*"],
-                "privileges": ["create_index", "create_doc"]
+                "names": ["traces-apm*","logs-apm*", "metrics-apm*"],
+                "privileges": ["auto_configure", "create_doc"]
             }
         ]
     },
@@ -48,7 +49,8 @@ In the role descriptors box, assign the appropriate privileges to the new API ke
         "index": [
             {
                 "names": [".apm-agent-configuration"],
-                "privileges": ["read"]
+                "privileges": ["read"],
+                "allow_restricted_indices": true
             }
         ]
     }
@@ -130,10 +132,11 @@ POST /_security/api_key
   "name": "apm_host001", <1>
   "role_descriptors": {
     "apm_writer": { <2>
+      "cluster": ["monitor"],
       "index": [
         {
-          "names": ["apm-*"],
-          "privileges": ["create_index", "create_doc"]
+          "names": ["traces-apm*","logs-apm*", "metrics-apm*"],
+          "privileges": ["auto_configure", "create_doc"]
         }
       ]
     },
@@ -149,7 +152,8 @@ POST /_security/api_key
       "index": [
         {
           "names": [".apm-agent-configuration"],
-          "privileges": ["read"]
+          "privileges": ["read"],
+          "allow_restricted_indices": true
         }
       ]
     }
@@ -169,4 +173,4 @@ See the {es} API key documentation for more information:
 
 * {ref}/security-api-create-api-key.html[Create API key]
 * {ref}/security-api-get-api-key.html[Get API key information]
-* {ref}/security-api-invalidate-api-key.html[Invalidate API key]
+* {ref}/security-api-invalidate-api-key.html[Invalidate API key]