The provided grant credentials do not support run-as – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 8.4-8.9

Briefly, this error occurs when the Elasticsearch user tries to execute a “run-as” command with credentials that do not have the necessary permissions. The “run-as” feature allows one user to execute commands as another user. To resolve this issue, you can either provide the correct credentials that have “run-as” permissions or modify the existing user’s permissions to include “run-as”. Alternatively, you can disable the “run-as” feature if it’s not required. Always ensure to follow the principle of least privilege when assigning permissions to avoid potential security risks.

This guide will help you check for common problems that cause the log ” the provided grant credentials do not support run-as ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “the provided grant credentials do not support run-as” class name is TransportGrantAction.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 if (authentication.isRunAs()) {
 final String effectiveUsername = authentication.getEffectiveSubject().getUser().principal();
 if (runAsUsername != null && false == runAsUsername.equals(effectiveUsername)) {
 // runAs is ignored
 listener.onFailure(
 new ElasticsearchStatusException("the provided grant credentials do not support run-as"; RestStatus.BAD_REQUEST)
 );
 } else {
 // Authentication can be run-as even when runAsUsername is null.
 // This can happen when the authentication itself is a run-as client-credentials token.
 assert runAsUsername != null || "access_token".equals(request.getGrant().getType());

 

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?