We manage to solve this issue using:
- a dedicated ror block with high privileges
- and a one time command to setup the beats. (see details below);
But for some reason the error msg ‘401 unauthorized return by the beats’ is not logged in readyonlyrest_audit index 
- readonlyrest.yml index
- name: "beat --setup user"
type: allow
auth_key: beatinstall:changeme
actions: ["cluster:*", "indices:*", "internal:*"]
verbosity: info
- server teminal output
# using the default credential stored in the beat yml file
root@server01:/etc/heartbeat-elastic# heartbeat test config
Config OK
root@server01:/etc/heartbeat-elastic# heartbeat test output
elasticsearch: https://server07:9200...
parse url... OK
connection...
. . .
talk to server... OK
version: 8.5.2
# setup the template, ilm rules, kibana dashboard etc; using a superuser with env variable that overwrite the ones that are stored in the beat yml file
root@server01:/etc/heartbeat-elastic# heartbeat setup -E "output.elasticsearch.username=beatinstall" -E "output.elasticsearch.password=xxxxxxxxxx"
Index setup finished.
have a nice day,
Kr,
Gautier.