- Newest
- Most votes
- Most comments
Hello,
Based on the information provided, it seems you have followed the correct steps to set up cross-account access for your OpenSearch ingestion pipeline. However, there might be a few additional steps or considerations required to resolve the 403 Forbidden error.
-
Trust Policy Update: In the trust policy of the IAM role created in Account A (with OSIS:Ingest permission), you need to add the principal ARN of the IAM role associated with the Lambda function in Account B. This will allow the Lambda function's role to assume the role in Account A.
-
Lambda Function Role Permissions: In Account B, the IAM role associated with the Lambda function should have the
sts:AssumeRole
permission to assume the IAM role created in Account A. You can add this permission to the role's policy document. -
Lambda Function Code: In your Lambda function code (Account B), you need to assume the IAM role in Account A before making the POST request to the OpenSearch ingestion endpoint. You can use the
aws-sdk
library in your Lambda function to assume the role and then make the request with the temporary credentials.
By following these steps, you should be able to resolve the 403 Forbidden error and successfully send data to the OpenSearch ingestion pipeline in Account A from the Lambda function in Account B.
You can read more information here: https://repost.aws/knowledge-center/opensearch-delegate-access-iam
Relevant content
- asked 5 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago