By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access denied (403) when creating an index in OpenSearch Serverless.

0

I am trying to create a minimal working example for working with AWS OpenSearch Serverless. With the help of this tutorial, this is the code:

import boto3
from opensearchpy import OpenSearch, RequestsHttpConnection, AWSV4SignerAuth

host = 'onb565zzbfkjr3spn8v5.us-east-1.aoss.amazonaws.com'
region = 'us-east-1'

credentials = boto3.Session().get_credentials()
auth = AWSV4SignerAuth(credentials, region)
client = OpenSearch(
    hosts = [{
        'host': host,
        'port': 443
    }],
    http_auth = auth,
    use_ssl = True,
    verify_certs=True,
    connection_class = RequestsHttpConnection
)

def create_index(index_name):
    index_body = {
      'settings': {
        'index': {
          'number_of_shards': 1
        }
      }
    }
    response = client.indices.create(index_name, body=index_body)
    print('\nCreating index:')
    print(response)

create_index('myindex')

I have performed the following steps:

  1. Created an IAM user that has the policies AmazonOpenSearchServiceFullAccess and AmazonESFullAccess (just in case). I also added two inline policies:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "aoss:APIAccessAll",
            "Resource": "*"
        }
    ]
}

and

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "aoss:DashboardsAccessAll",
            "Resource": "*"
        }
    ]
}

(for some reason, the latter two permissions are not shown when I create a collection)

  1. Executed aws configure to provide the keys and the region.

  2. Created a collection with the rule for Public access, the IAM user as the selected principal, and all accesses enabled.

Despite all this, I get 403 (Access denied) when trying to create an index. What could I be missing?

P.S. I had previously posted this question in StackOverflow.

Topics
Security, Identity, & ComplianceAnalyticsDatabase
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon OpenSearch Serverless
Language
English
AlwaysLearning
asked 10 months ago1690 views
2 Answers
1

You also need to create a data access policy in OpenSearch Serverless to allow access to the collections and indexes

Example Policy from Overview of security in Amazon OpenSearch Serverless

[
   {
      "Rules":[
         {
            "ResourceType":"index",
            "Resource":[
               "index/marketing/orders*"
            ],
            "Permission":[
               "aoss:*"
            ]
         }
      ],
      "Principal":[
         "arn:aws:iam::123456789012:user/Dale",
         "arn:aws:iam::123456789012:role/RegulatoryCompliance",
         "saml/123456789012/myprovider/user/Annie"
      ]
   }
]

References:

Also make sure your IAM user credentials are either stored in the default profile or provide boto3.Session with the profile_name, https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#shared-credentials-file

AWS
Edward_S
answered 10 months ago
  • AlwaysLearning
    10 months ago

    Don't items 2 and 3 in the question say that I did all this?

  • Edward_S
    10 months ago

    Hi,

    for item #2 - aws configure can be executed to configure a profile other than default. If you're using a profile name other than default then this profile name would have to be passed to boto3.Session as a named profile

    for item #3 - this tells me

    • a network policy rule was created allowing access to collections from Public.
      Can you confirm that this policy is allowing public access to OpenSearch endpoint and not just OpenSearch Dashboards and that your collection name is selected?

    • a data access policy rule was created with an IAM user granted permissions.
      Can you confirm that this policy is granting permissions to both indexes index/<collection-name>/* as well as collections collection/<collection-name>?

    Where are you executing this Python script (local environment, EC2/Cloud9, etc)?

  • AlwaysLearning
    10 months ago

    It is [default] and the only one. I am executing the script on my laptop. How do I confirm the things you suggested?

  • Edward_S
    10 months ago

    Checking the Network policy

    1. Go to AWS Management Console -> Amazon OpenSearch Service -> Serverless -> Collections -> <collection-name>
    2. In the Network section, see Associated policy
    3. Follow the link to the policy, review rule for Public access type. See network policies for policy information

    Checking the Data Access policy

    1. Go to AWS Management Console -> Amazon OpenSearch Service -> Serverless -> Collections -> <collection-name>
    2. In the Data access section, see Associated policy
    3. Follow the link to the policy, review rules for your IAM user, verify resources and permissions in Granted resources and permissions. See data access policy syntax for policy rules

    Other references: Network Policies Data access policies

  • AlwaysLearning
    10 months ago

    Thank you very much for the detailed replies. Unfortunately I had to switch away from Serverless. Unlike the promise of Amazon that with serverless one pays only for what one uses (and that is what I came to expect after using Lambda), they charge for compute resources (not talking about data storage) per hour no matter whether one performs any actual computation or not. I incurred more than $40 charge while trying to access it! I would appreciate a suggestion as to how to approach Amazon to avoid this unfair charge.

0

I also had this issue and I don't believe that the suggested fixes would have solved the OP's problem.

The signer that is created is defaulting to signing requests for the es service (elastic search) which isn't correct for serverless.

Altering the auth line to auth = AWSV4SignerAuth(credentials, region, 'aoss') fixed it for me.

David Neale
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content