How do I troubleshoot fine-grained access control issues in my OpenSearch Service cluster?

Short description

You might receive fine-grained access control (FGAC) errors, or require additional configuration in your OpenSearch Service cluster. To resolve these issues, follow these troubleshooting steps for your use case.

Note: Because of the managed design of OpenSearch Service, anonymous access isn't supported.

Resolution

"security_exception","reason":"no permissions" 403 errors

To resolve this error, first check if the user or backend role in your OpenSearch Service cluster has the required permissions. See Permissions on the OpenSearch website. Then, complete the steps from the OpenSearch website to map the user or backend role to a role.

"User: anonymous is not authorized to perform: iam:PassRole"

You might receive this error when you try to register a manual snapshot. You must map the manage_snapshots role to Identity and Access Management (IAM) role that you used to register the manual snapshot. Then, use that IAM role to send a signed request to the domain.

"Couldn't find any Elasticsearch data"

You might receive this error when you try to create index patterns after upgrading to OpenSearch Service version 7.9. Use the resolve index API to add indices:admin/resolve/index to all indices and aliases when creating an index pattern in an FGAC activated cluster. For more information, see API on the OpenSearch website.

When this permission is missing, OpenSearch Service throws a 403 error status code. This is then mapped to a 500 error status code from OpenSearch Dashboards. As a result, the indices aren't listed.

401 unauthorized errors

You might receive a 401 unauthorized error when you use the $ or ! characters in primary credentials with curl -u "user:password". Make sure to put your credentials in single quotes, as in the following example:

curl -u 'username' <Domain_Endpoint>

Integrate other AWS services with OpenSearch Service when fine-grained access control is activated

To integrate another AWS service with OpenSearch Service when fine-grained access control is activated, give the correct permissions to the IAM roles for those services. For more information, see Integrations.

Provide fine-grained access to specific indices, dashboards, and visualizations based on user tenancy

To provide FGAC access to specific indices or dashboards, map the user to a role that has permissions to the tenant's Kibana index:

.kibana_<hash>_<tenant_name>

For more information, see Manage OpenSearch Dashboards indices on the OpenSearch website.

Use fine-grained access control at a field-level or document-level

To use fine-grained access control at the field level, set up a role with the required field-level security. Then, map the user to the role that you created. For more information, see Field-level security on the OpenSearch website.

To use fine-grained access control at the document level, create an internal dashboard role with the required document-level security. Then, map the user to the internal dashboard. For more information, see Document-level security on the OpenSearch website.

Related information

Fine-grained access control in Amazon OpenSearch Service