How can I sign in OpenSearch dashboard if master user is set to IAM user?

When you've configured Amazon OpenSearch with fine-grained access control and set an IAM ARN as the master user, you cannot directly sign in to the OpenSearch dashboard using the IAM user credentials. Instead, you need to use Amazon Cognito authentication for accessing the dashboard. Here's how you can set this up:

1. Configure Amazon Cognito authentication for your OpenSearch domain. This involves creating a Cognito user pool and identity pool.

2. In the OpenSearch Service console, edit the security configuration of your domain to enable Amazon Cognito authentication for OpenSearch Dashboards.

3. Ensure that one of the assumed roles from the Cognito identity pool matches the IAM role you specified as the master user.

4. If you receive a "Missing Role" error when trying to access the dashboard, you may need to update your domain's security configuration:

   • Go to the OpenSearch Service console
   • Select your domain and choose "Actions" then "Edit security configuration"
   • Choose "Set IAM ARN as your master user"
   • Enter the Amazon Cognito identity pool role's ARN in the "IAM ARN" field
   • Save the changes

5. Once configured correctly, you should be able to access the OpenSearch dashboard through the Cognito login page.

Remember, when using IAM for user management with fine-grained access control, direct login to the dashboard with IAM credentials is not possible. Cognito authentication acts as an intermediary, allowing you to leverage your IAM roles while providing a login interface for the dashboard.
Sources
Fine-grained access control in Amazon OpenSearch Service - Amazon OpenSearch Service
Amazon Cognito authentication issues with OpenSearch Dashboards | AWS re:Post