One alternative that I can think of requires some code outside of elasticsearch querying for a list of documents that are past their TTL (a range query less than or equal to the current time in milliseconds for the _ttl field) and then issuing deletes in a bulk request. This code would provide credentials that had a role in Shield with the appropriate permissions. This code would also run on a schedule.
What I described above is what elasticsearch does internally for TTL, but the addition is providing credentials.
We have been looking at all of the limitations of Shield and have been trying to think of the proper ways to solve them, so my hope is that we will be able to remove this limitation in the future. Unfortunately, I don't have a timeline right now.