Cross-Account permission for OpenSearch Ingestion Pipeline

0
  • I have an OpenSearch ingestion pipeline in Account A and I have a lambda function in Account B.
  • I am trying to send data to the pipeline in Account A via the lambda function in Account B (Making HTTPS POST request to the OpensSearch ingestion endpoint)

Followed this document to configure cross-account permissions: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/configure-client.html#configure-client-cross-account

Steps I have implemented so far

  1. I created a new IAM role (with OSIS:Ingest permission) in Account A where the pipeline is created
  • I updated the trust policy of this role to allow the principal in Account B
  • Query: Since, in my case the lambda function from Account B would make the POST request to the ingestion pipeline do I attach the IAM role for the lambda function in the trust policy?
  1. I also updated the IAM role for the lambda function in Account B to assume the IAM role created in step 1 Error log for the lambda function : 403 Forbidden error
1 Answer
0

Hello,

Based on the information provided, it seems you have followed the correct steps to set up cross-account access for your OpenSearch ingestion pipeline. However, there might be a few additional steps or considerations required to resolve the 403 Forbidden error.

  1. Trust Policy Update: In the trust policy of the IAM role created in Account A (with OSIS:Ingest permission), you need to add the principal ARN of the IAM role associated with the Lambda function in Account B. This will allow the Lambda function's role to assume the role in Account A.

  2. Lambda Function Role Permissions: In Account B, the IAM role associated with the Lambda function should have the sts:AssumeRole permission to assume the IAM role created in Account A. You can add this permission to the role's policy document.

  3. Lambda Function Code: In your Lambda function code (Account B), you need to assume the IAM role in Account A before making the POST request to the OpenSearch ingestion endpoint. You can use the aws-sdk library in your Lambda function to assume the role and then make the request with the temporary credentials.

By following these steps, you should be able to resolve the 403 Forbidden error and successfully send data to the OpenSearch ingestion pipeline in Account A from the Lambda function in Account B.

You can read more information here: https://repost.aws/knowledge-center/opensearch-delegate-access-iam

AWS
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions