AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Opensearch Serverless Resource throwing a 403 forbidden error

0

I'm trying to provide minimum permissions to my opensearch serverless collection.

I have everything working with the resource set to "*". However, when I try narrow this down i'm getting errors.

Below is an example of my IAM role statements (working example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - "*"

Here is the IAM role statements (breaking example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id*
주제
서버리스컴퓨팅보안, 신원 및 규정 준수분석데이터베이스
태그
AWS LambdaIAM 정책아마존 OpenSearch 서버리스
언어
English
pabs
질문됨 10달 전1286회 조회
1개 답변
2
수락된 답변

If the action is set to "aoss:*", then APIs with resource types other than "Collection" will also be restricted, resulting in an error.
The table below shows that only three resource types "Collection" can be set: "APIAccessAll", "DeleteCollection" and "UpdateCollection".
For APIs other than the above, setting the resource type to "Collection" will result in an error.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html#amazonopensearchserverless-actions-as-permissions

profile picture
전문가
Riku_Kobayashi
답변함 10달 전
profile pictureAWS
전문가
Jonathan_D
검토됨 10달 전
  • Riku_Kobayashi 전문가
    10달 전

    So I would make the following policy.

            iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
                  - aoss:DeleteCollection
                  - aoss:UpdateCollection
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:region:account-id:dashboards/default
            - Effect: Allow
              Action:
                 - aoss:*
              Resource:
                 - "*"
  • pabs
    10달 전

    So does:

    Resource: 
    - "*"

    need to remain for "aoss:*", or can this be narrowed down to a specific index? Apologies if this is a silly question, just wanted to double check.

  • Riku_Kobayashi 전문가
    10달 전

    As far as I can see from the documentation, only the policy I described can narrow down the resource type. So, if you want to allow "aoss:* ", the resource type must be " * ".

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠