After Opensearch Upgrade get "Missing role" error when trying to signin using Cognito

Question

We have multiple AWS accounts, each with Cognito and Opensearch Service. One of them is still working, the other two can no longer be accessed after upgrading Opensearch past version 2.9. When trying to login, I get the "Missing Role" error. It was working before and nothing was changed. All 3 accounts are managed by Terraform and have the identical configuration.

In Opensearch Fine-Grained Access has been enabled and the Master User IAM ARN is set to the same ARN that is configured as IAM Role ARN in the Cognito Group.

I had this error in the past after upgrading, usually it was enough to use edit the Opensearch domain and paste the IAM Role ARN from the Cognito Group again, but since Version 2.10 and higher, this no longer works. I always get the "Missing Role" error.

Did anything change between Opensearch 2.9 and 2.10? Since then I haven't gotten it to work again, even the latest version 2.17 still has this bug for me.

Tobias · Answer

Finally found that, the webinterface is bugged and the master user ARN can not be set using the webinterface. Have to use the CLI command

```
aws opensearch update-domain-config \
    --domain-name my-opensearch-domain \
    --advanced-security-options file://options.json
```
with something like this in options.json

```
{
    "MasterUserOptions": {
        "MasterUserARN": "arn:aws:iam::123456789012:user/MasterUser"
    }
}
```
Then it works.

After Opensearch Upgrade get "Missing role" error when trying to signin using Cognito

回答を追加する

関連するコンテンツ