Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Permission problem with OpenSearch to Athena connector

0

Hello, I followed this guide to setup a connector between OpenSearch and Athena. But I cannot seem to be able to read OpenSearch correctly.

At first the error message was:

Failed to get tables names from lambda function due to com.amazonaws.services.lambda.invoke.LambdaFunctionException: Elasticsearch exception [type=security_exception, reason=no permissions for [indices:admin/aliases/get] and User [name=arn:aws:iam::123456789:role/serverlessrepo-AthenaElasticse-ConnectorConfigRole-1HS18LEQVB05Q, backend_roles=[arn:aws:iam::876152107473:role/serverlessrepo-AthenaElasticse-ConnectorConfigRole-1HS18LEQVB05Q], requestedTenant=null]]

While I was trying to figure it out the error changed to

Failed to get tables names from lambda function due to com.amazonaws.services.lambda.invoke.LambdaFunctionException: method [HEAD], host [https://xxxxxxxxx.me-south-1.es.amazonaws.com], URI [/], status line [HTTP/1.1 403 Forbidden]

I tried to change the lambda role to include the AmazonOpenSearchServiceFullAccess policy, but it didn't change anything.

Note that I can actually see the Data source and I can list all the Databases, but not the tables. Everythin is in the same account and region. What did I miss?

Themen
AnalysenServerlosKalkulationSicherheit, Identität & Konformität
Tags
Amazon AthenaAWS LambdaAWS Identity and Access ManagementAmazon OpenSearch-DienstIAM-Richtlinien
Sprache
English
lorek-naviparking
gefragt vor 9 Monaten310 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hello,

Thank you for bringing the query.

From the error given above, there could be a possibility that the Lambda role is not mapped with the "all_access" backend roles in OpenSearch. [1] Could you please confirm the same? In case it is not, I would suggest you to try the following steps:

To find lambda execution role please navigate to path:

Lambda Console > Applications > serverlessrepo-AthenaElasticsearchConnector > Under resources, open ConnectorConfig > it will navigate to lambda function(then click on configuration) > permissions > under Execution role(you will see a role attached to function)

Now, to map lambda role to "all_access " backend roles in OpenSearch dashboard please navigate to below path:

Open search Dashboard > Menu > Security > Roles > click on ‘all_access’ role > Click on Mapped users > Manage mapping > Under Backend roles please add the lambda role ARN > map

Then try looking for the tables again on Athena console. Also, please make sure you are using the latest version of the connector.

In case this doesn’t help, I would recommend you to reach out to AWS Support Engineering via a support ticket to further troubleshoot the issue.

Thank you!

References: [1] https://opensearch.org/docs/latest/security/access-control/users-roles/

AWS
SUPPORT-TECHNIKER
rePost-User-0573738
beantwortet vor 9 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt