Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

403 "You don’t have authorization to access dashboards" on Public OpenSearch Serverless Collection

0

I have recently set up a public serverless connection for my Amazon OpenSearch collection with the network resource settings configured for both "Access to OpenSearch endpoints" and "Access to OpenSearch Dashboards".

Despite this public network configuration, I am encountering a "403 You don’t have authorization to access dashboards" error when I try to open the OpenSearch Dashboards URL. I have already ensured that the network access is set to public, but it appears there might be an issue with my authorization settings.

I have also setup data access policy, but keep getting 403 directly without even putting in my user access token and secret.

Topics
AnalyticsDatabaseSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon OpenSearch ServerlessAmazon OpenSearch Service
Language
English
asked 8 months ago446 views
3 Answers
0

403 is related to authorization. Is your plan to allow anonymous access or who should be able to access it?

answered 8 months ago
  • sarim
    8 months ago

    So the problem is I go to the dashboard url, it gives me 403 directly, without even asking me for my access token or other details. How will I be able to access the dashboard?

    I have tried:

    1. Setting IAM user, giving him full access to serverless along with other permissions in the doc
    2. Tried access the dashboard through this user console
    3. Tried setting up SAML login in the application

    But same issue

  • Joakim Laine
    8 months ago

    Right, my guess would be the data access policy. Have you added these permissions stated here?

    "OpenSearch Serverless requires these two new IAM permissions for collection resources. The aoss:APIAccessAll permission allows data plane access, and the aoss:DashboardsAccessAll permission allows OpenSearch Dashboards from the browser. Failure to add the two new IAM permissions results in a 403 error."

    https://docs.aws.amazon.com/opensearch-service/latest/developerguide/security-iam-serverless.html

  • sarim
    8 months ago

    I am still getting a 403 Forbidden error on my OpenSearch Serverless dashboard despite the following configuration:

    1. IAM Policy: My SSO role has an IAM policy allowing "aoss:DashboardsAccessAll" and "aoss:APIAccessAll" on "Resource": "*".

    2. Network Policy: The collection is set to Public, with access enabled for both OpenSearch endpoints and Dashboards.

    3. Data Access Policy: A data access policy is configured for the collection, referencing the correct IAM Role ARN as the Principal and granting data permissions.

    I've verified the login role and tried incognito mode. What could still be causing the 403 error?

0

To resolve the 403 authorization error for OpenSearch Serverless dashboard access, there are several key requirements and troubleshooting steps to consider:

The IAM role or user needs two specific permissions: aoss:APIAccessAll for data plane access and aoss:DashboardsAccessAll for browser-based OpenSearch Dashboards access.

When accessing the dashboard, it's recommended to enter the URL directly in a new browser tab or window rather than clicking the link from the AWS Management Console, as the console may attempt to authenticate using the IAM user credentials.

For troubleshooting purposes, verify that:

  • The data access policy is properly configured with the correct IAM Role ARN as Principal
  • Network policy settings allow public access for both OpenSearch endpoints and Dashboards
  • All permissions are correctly set up in the IAM policy

If you're still experiencing issues, it's recommended to capture a HAR file while accessing the dashboard to help diagnose the specific cause of the authorization failure.

Example HAR file:

"response": 
{     
  "status": 403,
  "statusText": "Forbidden",
  "httpVersion": "HTTP/1.1",     
  "headers": [      
    {
      "name": "content-length",
      "value": "0"      
    },
    {       
      "name": "date",
      "value": "Mon, 17 Apr 2023 00:10:25 GMT"
    },      
    {       
      "name": "server",       
      "value": "aoss-amazon-d"      
    },
    {       
      "name": "x-aoss-response-hint",
      "value": "X01:dashboards-authz-denied"      
    },      
    {       
      "name": "x-envoy-upstream-service-time",
      "value": "19"      
    },      
    {       
      "name": "x-request-id",
      "value": "b559fd8f-315e-9fe9-a9e8-6ff5791b765a"
    }
...

Update your AWS Identity and Access Management (IAM) permissions to include the required permissions.

Reference:

How do I troubleshoot access to OpenSearch Serverless Dashboards to view my collection?

AWS
EXPERT
answered 8 months ago
0

Did you solve this @Sarim?

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content