Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Debugging Opensearch domain level access policy

0

Hi,

I am trying to debug a domain level access policy for OpenSearch (OS) that, if I've read the documentation correctly, should be working but it is not and is failing with errors that I don't understand.

Specifically, I am trying to lock down a single OS domain with multiple indices, where each index has different access controls depending on the principals accessing it. In this case the problem involves code running on an EC2 instance.

The policy in question is:

    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTID:role/EC2_ROLE_4"
      },
      "Action": "es:ESHttp*",
      "Resource": [
        "arn:aws:es:REGION:ACCOUNTID:domain/DOMAIN/index3/*",
        "arn:aws:es:REGION:ACCOUNTID:domain/DOMAIN/index4/*"
      ]
    }

There are no other explicit Deny policies involving EC2_ROLE_4 or the specific resources in question. Which is to say that there are Deny policies in domain access policy but they are scoped to other principals and resources.

There are two applications that I have been testing, both written in Go using the opensearch-project/opensearch-go package to talk to OS. They also uses the aaronland/go-aws-auth helper package to create an AWS config instance for an IAM user (the EC2 role) used to configure the opensearch-go "signer":

// This just returns github.com/aws/aws-sdk-go-v2/config.LoadDefaultConfig https://github.com/aaronland/go-aws-auth/blob/main/config.go#L108-L111

(My understanding of the aws-sdk-go-v2 package is that it handles retrieving and configuring instance profiles for EC2 instances under the hood so I don't think this is the root cause but... maybe?)

The first application issues HTTP PUT requests and is successful. The second application issues HTTP POST requests and fails with the following error:

status: 403, error: {"Message":"User: arn:aws:iam::ACCOUNTID:user/EMAIL_ADDRESS is not authorized to perform: es:ESHttpPost because no identity-based policy allows the es:ESHttpPost action"}

Which I understand in principle except that:

  1. The policy above should allow HTTP POST requests (and as mentioned PUT requests are successful).
  2. I don't understand why the error message is specifying a user account rather than an EC2 IAM role.

To my knowledge, there are no other system-wide limits like disallowing "POST" requests. Or rather, if there are I am not sure where to look. Assuming I haven't missed something I feel like this should work but it's not.

Any pointers or suggestions would be welcome.

Argomenti
ServerlessAnalisiSicurezza, identità e conformità
Tag
Servizio Amazon OpenSearchPolitiche IAM
Lingua
English
aaron
posta 7 mesi fa325 visualizzazioni
1 Risposta
0

Hello, Ideally, if you want to control access at Index Level [even document or field level], you should consider using Fine Grained Access Control feature for Amazon OpenSearch Service. [+] Fine-grained access control in Amazon OpenSearch Service - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html

AWS
TECNICO DI SUPPORTO
Utkarsh_A
con risposta 7 mesi fa
profile picture
ESPERTO
Giovanni Lauria
verificato un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente