Wondering if would be an auditing issue... though I'm confident I'm using properly credentials, but maybe I should turn on auditing event logging, as I read from doc:
xpack.security.audit.enabled
Set to true to enable auditing on the node. The default value is false . This puts the auditing events in a dedicated file named <clustername>_audit.json on each node.