Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Opensearch Serverless Resource throwing a 403 forbidden error

0

I'm trying to provide minimum permissions to my opensearch serverless collection.

I have everything working with the resource set to "*". However, when I try narrow this down i'm getting errors.

Below is an example of my IAM role statements (working example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - "*"

Here is the IAM role statements (breaking example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id*
Themen
ServerlosKalkulationSicherheit, Identität & KonformitätAnalysenDatenbank
Tags
AWS LambdaIAM-RichtlinienAmazon OpenSearch Serverless
Sprache
English
pabs
gefragt vor 10 Monaten1286 Aufrufe
1 Antwort
2
Akzeptierte Antwort

If the action is set to "aoss:*", then APIs with resource types other than "Collection" will also be restricted, resulting in an error.
The table below shows that only three resource types "Collection" can be set: "APIAccessAll", "DeleteCollection" and "UpdateCollection".
For APIs other than the above, setting the resource type to "Collection" will result in an error.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html#amazonopensearchserverless-actions-as-permissions

profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 10 Monaten
profile pictureAWS
EXPERTE
Jonathan_D
überprüft vor 10 Monaten
  • Riku_Kobayashi EXPERTE
    vor 10 Monaten

    So I would make the following policy.

            iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
                  - aoss:DeleteCollection
                  - aoss:UpdateCollection
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:region:account-id:dashboards/default
            - Effect: Allow
              Action:
                 - aoss:*
              Resource:
                 - "*"
  • pabs
    vor 10 Monaten

    So does:

    Resource: 
    - "*"

    need to remain for "aoss:*", or can this be narrowed down to a specific index? Apologies if this is a silly question, just wanted to double check.

  • Riku_Kobayashi EXPERTE
    vor 10 Monaten

    As far as I can see from the documentation, only the policy I described can narrow down the resource type. So, if you want to allow "aoss:* ", the resource type must be " * ".

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt