Migrating to Elasticsearch 5.4.0 on Heroku using Elastic Cloud: [indices:admin/delete] requires authentication.

Aaron Careaga
1 min readMay 31, 2017

I learned the hard way how to setup access authentication for a protected cluster after upgrading to Elasticsearch 5.4.0 on Heroku’s Elastic Cloud service. Our previous instance did not require Shield access authentication.

After porting the changes and pushing the upgrade, I hit the following error when rebuilding indices:

Elasticsearch::Transport::Transport::Errors::Unauthorized: [401] {“error”:{“root_cause”:[{“type”:”security_exception”,”reason”:”action [indices:admin/delete] requires authentication”,”header”:{“WWW-Authenticate”:”Basic realm=\”security\” charset=\”UTF-8\””}}],”type”:”security_exception”,”reason”:”action [indices:admin/delete] requires authentication”,”header”:{“WWW-Authenticate”:”Basic realm=\”security\” charset=\”UTF-8\””}},”status”:401}

To setup access authentication using a transport service:

(1) Install and configure the `elasticsearch-transport` gem (or alternative for non-Rails projects)

gem 'elasticsearch-transport', '~> 5.0.4'

(2) Push changes to Heroku server

$ git push heroku <app-name> <branch-name>

(3) Update your version on Elastic Cloud. This is accessible from the Heroku Dashboard add-on section.

Version: 5.4.0

Note: Shield is enabled by default. Save the auto-generated password that is provided for the `elastic` user.

(4) Using `elastic` credentials, log into Kibana and create an additional superuser. This is accessible from the Elastic Cloud dashboard, click on Kibana and then the management tab and elasticsearch security.

# Elasticsearch security via Kibana management tab
user: <user>
pass: <password>
role: superuser

(5) Set the access credentials on the config variable `FOUNDELASTICSEARCH_URL` like:


This is accessible from your Heroku dashboard settings tab.

(6) Run rake commands to rebuild indices on Heroku environment.

$ heroku run rake elasticsearch:import:all

You should be good to go now.