I have a lambda function with python code that connects to my opensearch service. Now when i test the code in lambda i get this error:
"body": "{\"Message\":\"User: arn:aws:sts::700875800956:assumed-role/lambdaRole/testFunction is not authorized to perform: es:ESHttpGet because no identity-based policy allows the es:ESHttpGet action\"}"
But the lambdaRole has all this permissions, so i dont know what i'm doing wrong:
This is the json of the opensearchservice policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:DeleteOutboundConnection",
"es:UpdateVpcEndpoint",
"es:DeletePackage",
"es:ListVpcEndpoints",
"es:ListVpcEndpointsForDomain",
"es:ListElasticsearchInstanceTypeDetails",
"es:ListDomainsForPackage",
"es:ListInstanceTypeDetails",
"es:AuthorizeVpcEndpointAccess",
"es:AcceptInboundConnection",
"es:DeleteElasticsearchServiceRole",
"es:DescribeInboundConnections",
"es:DescribeOutboundConnections",
"es:DescribeReservedInstances",
"es:AcceptInboundCrossClusterSearchConnection",
"es:DescribeReservedInstanceOfferings",
"es:DescribeInstanceTypeLimits",
"es:DescribeVpcEndpoints",
"es:ListVpcEndpointAccess",
"es:DeleteInboundCrossClusterSearchConnection",
"es:DescribeOutboundCrossClusterSearchConnections",
"es:DeleteOutboundCrossClusterSearchConnection",
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:CreateServiceRole",
"es:CreateElasticsearchServiceRole",
"es:UpdatePackage",
"es:RejectInboundCrossClusterSearchConnection",
"es:DeleteInboundConnection",
"es:GetPackageVersionHistory",
"es:RejectInboundConnection",
"es:PurchaseReservedElasticsearchInstanceOffering",
"es:CreateVpcEndpoint",
"es:DescribeInboundCrossClusterSearchConnections",
"es:ListVersions",
"es:DescribeReservedElasticsearchInstances",
"es:ListDomainNames",
"es:PurchaseReservedInstanceOffering",
"es:CreatePackage",
"es:DeleteVpcEndpoint",
"es:DescribePackages",
"es:ListElasticsearchInstanceTypes",
"es:ListElasticsearchVersions",
"es:DescribeElasticsearchInstanceTypeLimits",
"es:RevokeVpcEndpointAccess"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:xxxx:domain/project"
}
]
}
I added it but then i gett this error:
"body": "{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxx:role/lambdaRole, backend_roles=[arn:aws:iam::xxx:role/lambdaRole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxx:role/lambdaRole, backend_roles=[arn:aws:iam::xxxx:role/lambdaRole], requestedTenant=null]"},"status":403}"