Briefly, this error occurs when the Elasticsearch user tries to execute a “run-as” command with credentials that do not have the necessary permissions. The “run-as” feature allows one user to execute commands as another user. To resolve this issue, you can either provide the correct credentials that have “run-as” permissions or modify the existing user’s permissions to include “run-as”. Alternatively, you can disable the “run-as” feature if it’s not required. Always ensure to follow the principle of least privilege when assigning permissions to avoid potential security risks.
This guide will help you check for common problems that cause the log ” the provided grant credentials do not support run-as ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “the provided grant credentials do not support run-as” class name is TransportGrantAction.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :
if (authentication.isRunAs()) {
final String effectiveUsername = authentication.getEffectiveSubject().getUser().principal();
if (runAsUsername != null && false == runAsUsername.equals(effectiveUsername)) {
// runAs is ignored
listener.onFailure(
new ElasticsearchStatusException("the provided grant credentials do not support run-as"; RestStatus.BAD_REQUEST)
);
} else {
// Authentication can be run-as even when runAsUsername is null.
// This can happen when the authentication itself is a run-as client-credentials token.
assert runAsUsername != null || "access_token".equals(request.getGrant().getType());
