By using AWS re:Post, you agree to the AWS re:Post Terms of Use

OpenSearch FGAC 403 despite IAM user ARN mapped in backend role

0

Hi, I have an OpenSearch domain. It is configured with SAML via Google Workspace, and login to dashboards via that works fine. However, when attempting to access the OpenSearch API via an IAM user's access key, the fine-grained access control system is returning a 403 error.

  • I have followed the troubleshooting advice for this 403 error here https://repost.aws/knowledge-center/opensearch-fgac-errors, and can confirm that a backend role mapped user exists. This backend role user is the ARN of the user I am connecting with (I have double-checked that the ARN matches).
  • I am attempting to access the API with a regular IAM user's credentials (rather than an IAM Identity Center user)
  • The OpenSearch domain version is 2.17
  • The error text received is 403, 'security_exception', 'no permissions for [cluster:monitor/health] and User [name=arn:aws:iam::<account-redacted>:user/AppDataPipeline, backend_roles=[], requestedTenant=null]'
2 Answers
0

however backend role mapped user ARN matches, but it is not being recognized at runtime. OpenSearch also requires explicit permissions for [cluster:monitor/health].

Possible Issues:

Opensearch Role Definition: The OpenSearch role associated with the backend role need the necessary permissions. If API request is not signed correctly with the IAM user's credentials, OpenSearch cannot identify the user and associate it with the backend role.

profile picture
answered 10 days ago
  • The OpenSearch role associated with this backend role is assigned cluster:monitor/* and unlimited cluster permissions. The API request is being generated via the python package requests_aws4auth v1.3.1 (the latest), and there is no failed-login appearing in the audit log as might be expected if the API request was not being signed correctly.

0

A workaround is to add a new master user ("Set IAM ARN as master user") with the IAM user's ARN. However, now this user is a master user, presumably with full admin access to the cluster.

answered 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions