Lambda role not authorized to perform get action to opensearch
0
I have a lambda function with python code that connects to my opensearch service. Now when i test the code in lambda i get this error:
"body": "{\"Message\":\"User: arn:aws:sts::700875800956:assumed-role/lambdaRole/testFunction is not authorized to perform: es:ESHttpGet because no identity-based policy allows the es:ESHttpGet action\"}"
But the lambdaRole has all this permissions, so i dont know what i'm doing wrong:
This is the json of the opensearchservice policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:DeleteOutboundConnection",
"es:UpdateVpcEndpoint",
"es:DeletePackage",
"es:ListVpcEndpoints",
"es:ListVpcEndpointsForDomain",
"es:ListElasticsearchInstanceTypeDetails",
"es:ListDomainsForPackage",
"es:ListInstanceTypeDetails",
"es:AuthorizeVpcEndpointAccess",
"es:AcceptInboundConnection",
"es:DeleteElasticsearchServiceRole",
"es:DescribeInboundConnections",
"es:DescribeOutboundConnections",
"es:DescribeReservedInstances",
"es:AcceptInboundCrossClusterSearchConnection",
"es:DescribeReservedInstanceOfferings",
"es:DescribeInstanceTypeLimits",
"es:DescribeVpcEndpoints",
"es:ListVpcEndpointAccess",
"es:DeleteInboundCrossClusterSearchConnection",
"es:DescribeOutboundCrossClusterSearchConnections",
"es:DeleteOutboundCrossClusterSearchConnection",
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:CreateServiceRole",
"es:CreateElasticsearchServiceRole",
"es:UpdatePackage",
"es:RejectInboundCrossClusterSearchConnection",
"es:DeleteInboundConnection",
"es:GetPackageVersionHistory",
"es:RejectInboundConnection",
"es:PurchaseReservedElasticsearchInstanceOffering",
"es:CreateVpcEndpoint",
"es:DescribeInboundCrossClusterSearchConnections",
"es:ListVersions",
"es:DescribeReservedElasticsearchInstances",
"es:ListDomainNames",
"es:PurchaseReservedInstanceOffering",
"es:CreatePackage",
"es:DeleteVpcEndpoint",
"es:DescribePackages",
"es:ListElasticsearchInstanceTypes",
"es:ListElasticsearchVersions",
"es:DescribeElasticsearchInstanceTypeLimits",
"es:RevokeVpcEndpointAccess"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:xxxx:domain/project"
}
]
}
1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
The posted policy does not seem to contain the ESHttpGet.
Try add that to the policy and see if it allows it.
Alternatively could be related to fact that ES requests may have to be signed with sigv4. Check these out:
Contenus pertinents
- demandé il y a un an
- demandé il y a 7 mois
AWS OFFICIELA mis à jour il y a 5 mois- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
I added it but then i gett this error:
"body": "{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxx:role/lambdaRole, backend_roles=[arn:aws:iam::xxx:role/lambdaRole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxx:role/lambdaRole, backend_roles=[arn:aws:iam::xxxx:role/lambdaRole], requestedTenant=null]"},"status":403}"