OAuth2 token creation is not supported for service accounts – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.14-8.9

Before you dig into reading this guide, have you tried asking OpsGPT what this log means? You’ll receive a customized analysis of your log.

Try OpsGPT now for step-by-step guidance and tailored insights into your Elasticsearch operation.

Briefly, this error occurs when you’re trying to generate an OAuth2 token using a service account in Elasticsearch. Service accounts are not meant for direct use by users, hence they don’t support OAuth2 token creation. To resolve this issue, you can either use a regular user account to generate the OAuth2 token or use API keys for service accounts. Alternatively, you can create a service account token if your use case allows it. Remember to ensure that the account has the necessary permissions for the operations you want to perform.

For a complete solution to your to your search operation, try for free AutoOps for Elasticsearch & OpenSearch . With AutoOps and Opster’s proactive support, you don’t have to worry about your search operation – we take charge of it. Get improved performance & stability with less hardware.

This guide will help you check for common problems that cause the log ” OAuth2 token creation is not supported for service accounts ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “OAuth2 token creation is not supported for service accounts” class name is TransportCreateTokenAction.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 case PASSWORD; KERBEROS -> authenticateAndCreateToken(type; request; listener);
 Authentication authentication = securityContext.getAuthentication();
 if (authentication.isServiceAccount()) {
 // Service account itself cannot create OAuth2 tokens.
 listener.onFailure(new ElasticsearchException("OAuth2 token creation is not supported for service accounts"));
 createToken(type; request; authentication; authentication; false; listener);
 default -> listener.onFailure(


How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?