OAuth2 token creation is not supported for service accounts – How to solve this Elasticsearch error

Opster Team

March-22, Version: 1.7-8.0

Before you begin reading this guide, we recommend you try running the Elasticsearch Error Check-Up which analyzes 2 JSON files to detect many configuration errors.

To easily locate the root cause and resolve this issue try AutoOps for Elasticsearch & OpenSearch. It diagnoses problems by analyzing hundreds of metrics collected by a lightweight agent and offers guidance for resolving them.

This guide will help you check for common problems that cause the log ” OAuth2 token creation is not supported for service accounts ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “OAuth2 token creation is not supported for service accounts”classname  is TransportCreateTokenAction.java We extracted the following from Elasticsearch source code for those seeking an in-depth context :

Authentication authentication = securityContext.getAuthentication();
 if (authentication.isServiceAccount()) {
 // Service account itself cannot create OAuth2 tokens.
 // But it is possible to create an oauth2 token if the service account run-as a different user.
 // In this case; the token will be created for the run-as user (not the service account).
 listener.onFailure(new ElasticsearchException("OAuth2 token creation is not supported for service accounts"));
 createToken(type; request; authentication; authentication; false; listener);
 default -> listener.onFailure(


Watch product tour

Try AutoOps to find & fix Elasticsearch problems

Analyze Your Cluster
Skip to content