How do I use HTTP authentication with fine-grained access control to access OpenSearch Dashboards from outside of a VPC?

Short description

By default, OpenSearch Dashboards restricts access to the VPC where it's located. When you access OpenSearch Dashboards from a local computer that's not connected to the VPC or without a connection proxy, you get a timeout error.

To access OpenSearch Dashboards with HTTP basic authentication from outside of a VPC, use one of the following methods:

• Use AWS Site-to-Site VPN to establish a secure connection between networks.
• Use AWS Client VPN to establish a secure connection for individual users.
• Use an SSH tunnel to establish a secure connection through a jump server.
• Use an NGINX proxy to use a web server as an intermediary.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version. The following resolution doesn't work for OpenSearch Dashboards that use Amazon Cognito authentication.

To use fine-grained access control with HTTP basic authentication, the domain must have an open domain access policy that allows anonymous access.

Example policy:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "*"
            ]
         },
         "Action":[
            "es:ESHttp*"
         ],
         "Resource":"arn:aws:es:region:123456789:domain/test-domain/*"
      }
   ]
}

Note: Replace region with your AWS Region, 123456789 with your AWS account ID, and test-domain with your domain name.

Also, you must configure the master user type as Internal user database. You can use the OpenSearch Service console or the AWS CLI to configure this setting.

Use Site-to-Site VPN

A Site-to-Site VPN creates a secure encrypted connection between your on-premises network and Amazon Virtual Private Cloud (Amazon VPC). When you configure a Site-to-Site VPN, you can directly access the OpenSearch Dashboards URL. To find the OpenSearch Dashboards URL, complete the following steps:

1. Open the OpenSearch Service console.
2. Choose Domains, and then select your domain.
3. Choose the General information tab.
4. Choose the OpenSearch Dashboards URL.

Use Client VPN

Use Client VPN to securely access your AWS resources and resources in your on-premises network from any location. To access OpenSearch Dashboards, connect to the VPN, and then open the OpenSearch Dashboards URL.

Note: Client VPN allows individual users to access OpenSearch Dashboards without a site-to-site connection.

Use an SSH tunnel

An SSH tunnel establishes a secure, encrypted connection over the SSH protocol, typically port 22. You can use the SSH tunnel to access resources inside a private VPC from your local machine.

To use an SSH tunnel to access your resources, configure the following resources:

• An Amazon Elastic Compute Cloud (Amazon EC2) instance in the same VPC as your OpenSearch Service domain
• SSH port forwarding on your local machine.

For detailed configuration instructions, see Testing VPC domains.

Use an NGINX proxy

Use the NGINX web server an intermediary server to forward requests from the public internet to your OpenSearch domain inside a VPC. To configure the NGINX proxy, see How do I use an NGINX proxy to access Kibana or OpenSearch Dashboards outside of a VPC that doesn't use Amazon Cognito authentication?

After you configure the NGINX proxy, you can also run curl commands and other REST APIs on the OpenSearch Service cluster from your local machine.

Related information

How do I troubleshoot fine-grained access control issues in my OpenSearch Service cluster?