- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Amazon OpenSearch serverless do not allow creating data access policy with cross account identity or cross account collection. That doesn't mean you cannot setup cross account access. You can always use assume-role to access cross account collection. Below are the sample steps.
- Let's say you have created a collection name
alb-logs
in account123456789012
with required encryption and network policy as per your requirement. - Now create IAM role (
aoss-cross-account-role
) in your account (123456789012
) where you have created the collectionalb-logs
with required permissions and create a trust relationship with an account from where you want to access this collection. For example., if you want to have userabcdef
in account987654321012
to access your collectionalb-log
created in account123456789012
, you need to set up the IAM trust policy like below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::987654321012:user/abcdef"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Note: This is just an example policy. You can setup more complex conditions for additional restrictions.
- Update your data access policy in account
123456789012
with ARN of newly created IAM role. For our example, data-access policy will look like this.
[
{
"Rules": [
{
"Resource": [
"collection/alb-logs"
],
"Permission": [
"aoss:DescribeCollectionItems"
],
"ResourceType": "collection"
},
{
"Resource": [
"index/alb-logs/*"
],
"Permission": [
"aoss:DescribeIndex",
"aoss:ReadDocument",
],
"ResourceType": "index"
}
],
"Principal": [
"arn:aws:iam::123456789012:role/aoss-cross-account-role"
],
"Description": "Rule 1"
}
]
Note: This is just a sample policy. This policy will allow a role arn:aws:iam::123456789012:role/aoss-cross-account-role
to describe alb-logs
collections items and describe and read indices for any indices in collection alb-logs
in account 123456789012
- Now using credential of the user
arn:aws:iam::987654321012:user/abcdef
, you can call stsassume-role
API to assume a role and obtain the credentials.
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/aoss-cross-account-role"" --role-session-name AWSCLI-AOSS-Cross-Account
- You can use credentials obtain in step#4 to access the collection
alb-log
created in account123456789012
from account987654321012
For cross account access of AOSS via VPC:
- You can create VPC endpoint in your another account
987654321012
and it will give you vpc endpoint id likevpce-<ALPHA-NUMERIC-STRING>
. - Update network policy in your account
123456789012
with vpc endpoint id to allow accessing collection of account123456789012
from account987654321012
via VPC.
Hello,
I understood that you have query about Cross-account access of Opensearch-serverless.
Does this mean that you can't set up network/data access policies that allow one AWS account to access a collection in another account via VPC?
Yes. As of now, you can't set up connection between client/application in account A and other account B that has Openserarch-Serverless cluster. You can't include collections from other accounts in your encryption or data access policies. Client application/instances needs to be in the same account where Opensearch-serverless resides to access collections in Opensearch-serverless.
I hope you find the information helpful. Please feel free to get back to me if you have any further queries regarding the same and I would be glad to assist you further.
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 3 anni fa