Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Opensearch Serverless Resource throwing a 403 forbidden error

0

I'm trying to provide minimum permissions to my opensearch serverless collection.

I have everything working with the resource set to "*". However, when I try narrow this down i'm getting errors.

Below is an example of my IAM role statements (working example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - "*"

Here is the IAM role statements (breaking example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id*
Argomenti
ServerlessComputazionaliSicurezza, identità e conformitàAnalisiDatabase
Tag
AWS LambdaPolitiche IAMAmazon OpenSearch Serverless
Lingua
English
pabs
posta 10 mesi fa1286 visualizzazioni
1 Risposta
2
Risposta accettata

If the action is set to "aoss:*", then APIs with resource types other than "Collection" will also be restricted, resulting in an error.
The table below shows that only three resource types "Collection" can be set: "APIAccessAll", "DeleteCollection" and "UpdateCollection".
For APIs other than the above, setting the resource type to "Collection" will result in an error.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html#amazonopensearchserverless-actions-as-permissions

profile picture
ESPERTO
Riku_Kobayashi
con risposta 10 mesi fa
profile pictureAWS
ESPERTO
Jonathan_D
verificato 10 mesi fa
  • Riku_Kobayashi ESPERTO
    10 mesi fa

    So I would make the following policy.

            iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
                  - aoss:DeleteCollection
                  - aoss:UpdateCollection
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:region:account-id:dashboards/default
            - Effect: Allow
              Action:
                 - aoss:*
              Resource:
                 - "*"
  • pabs
    10 mesi fa

    So does:

    Resource: 
    - "*"

    need to remain for "aoss:*", or can this be narrowed down to a specific index? Apologies if this is a silly question, just wanted to double check.

  • Riku_Kobayashi ESPERTO
    10 mesi fa

    As far as I can see from the documentation, only the policy I described can narrow down the resource type. So, if you want to allow "aoss:* ", the resource type must be " * ".

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente