I assume you have security enabled in ES and Kibana? Otherwise I would expect that you shouldn't see an "Authentication Error" at all.
The reason the index wasn't created was because the alert didn't actually run, or at least run to completion - there's a chance it got all the way to executing the actions, but I'd guess it failed before it even completed whatever the alert was querying on.
In other words, the problem is with the alert, and not the actions.
I'm not used to seeing Authentication errors here, as usually by the time you've created an alert, you've passed through tons of authn/authz, so I'm not quite sure how this happened.
With security on, we create API keys based on the user who last updated the alert, and use that API key as the authentication when the alert runs (and presumably queries an index) and when actions run (eg, the index action writing a document to an index).
You could try updating that API key by disabling the alert, then enabling it - we build a new API key based on the user that enables the alert as well. So give that a try.
I'm also wondering what sort of security you are using to access Kibana / elasticsearch. saml? pki? basic?
Also wondering if there's anything else "security-ish" in your Kibana logs, or ES logs.
I do not use the security of Kibana but that of Search Guard, I wanted to send emails because this one was free.
By reading your answer I understand that the problem therefore comes from SearchGuard. So I think I used the security on the Kibana side and not Search Guard.
Thanks for showing me the problem, if it doesn't work out anyway, I'll get back to you
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.