OAuth2 token creation is not supported for service accounts – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.14-8.9

Briefly, this error occurs when you’re trying to generate an OAuth2 token using a service account in Elasticsearch. Service accounts are not meant for direct use by users, hence they don’t support OAuth2 token creation. To resolve this issue, you can either use a regular user account to generate the OAuth2 token or use API keys for service accounts. Alternatively, you can create a service account token if your use case allows it. Remember to ensure that the account has the necessary permissions for the operations you want to perform.

This guide will help you check for common problems that cause the log ” OAuth2 token creation is not supported for service accounts ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “OAuth2 token creation is not supported for service accounts” class name is TransportCreateTokenAction.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 case PASSWORD; KERBEROS -> authenticateAndCreateToken(type; request; listener);
 Authentication authentication = securityContext.getAuthentication();
 if (authentication.isServiceAccount()) {
 // Service account itself cannot create OAuth2 tokens.
 listener.onFailure(new ElasticsearchException("OAuth2 token creation is not supported for service accounts"));
 createToken(type; request; authentication; authentication; false; listener);
 default -> listener.onFailure(