diff --git a/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.test.ts b/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.test.ts
index 826965f718b7d0..35df279b47b4ae 100644
--- a/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.test.ts
+++ b/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.test.ts
@@ -153,5 +153,23 @@ describe('credentialStore', () => {
 
       expect(securityStartMock.authc.apiKeys.invalidateAsInternalUser).toHaveBeenCalled();
     });
+
+    it('falls back to user credentials when error granting API key', async () => {
+      const credStore = credentialStoreFactory(logMock);
+
+      securityStartMock.authc.apiKeys.grantAsInternalUser.mockRejectedValue(
+        new Error('Error granting API key')
+      );
+
+      await credStore.set({
+        request: requestMock,
+        reindexOp: reindexOpMock,
+        security: securityStartMock,
+      });
+
+      expect(credStore.get(reindexOpMock)).toEqual({
+        authorization: basicAuthHeader,
+      });
+    });
   });
 });
diff --git a/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.ts b/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.ts
index 7f3f4f2b3074c4..7fff64daab2b47 100644
--- a/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.ts
+++ b/x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.ts
@@ -56,18 +56,28 @@ export const credentialStoreFactory = (logger: Logger): CredentialStore => {
     security?: SecurityPluginStart;
     reindexOpId: string;
   }): Promise<string | undefined> => {
-    const apiKeyResult = await security?.authc.apiKeys.grantAsInternalUser(request, {
-      name: `ua_reindex_${reindexOpId}`,
-      role_descriptors: {},
-    });
-
-    if (apiKeyResult) {
-      const { api_key: apiKey, id } = apiKeyResult;
-      // Store each API key per reindex operation so that we can later invalidate it when the reindex operation is complete
-      apiKeysMap.set(reindexOpId, id);
-      // Returns the base64 encoding of `id:api_key`
-      // This can be used when sending a request with an "Authorization: ApiKey xxx" header
-      return Buffer.from(`${id}:${apiKey}`).toString('base64');
+    try {
+      const apiKeyResult = await security?.authc.apiKeys.grantAsInternalUser(request, {
+        name: `ua_reindex_${reindexOpId}`,
+        role_descriptors: {},
+        metadata: {
+          description:
+            'Created by the Upgrade Assistant for a reindex operation; this can be safely deleted after Kibana is upgraded.',
+        },
+      });
+
+      if (apiKeyResult) {
+        const { api_key: apiKey, id } = apiKeyResult;
+        // Store each API key per reindex operation so that we can later invalidate it when the reindex operation is complete
+        apiKeysMap.set(reindexOpId, id);
+        // Returns the base64 encoding of `id:api_key`
+        // This can be used when sending a request with an "Authorization: ApiKey xxx" header
+        return Buffer.from(`${id}:${apiKey}`).toString('base64');
+      }
+    } catch (error) {
+      // There are a few edge cases were granting an API key could fail,
+      // in which case we fall back to using the requestor's credentials in memory
+      return undefined;
     }
   };