- Newest
- Most votes
- Most comments
however backend role mapped user ARN matches, but it is not being recognized at runtime. OpenSearch also requires explicit permissions for [cluster:monitor/health].
Possible Issues:
Opensearch Role Definition: The OpenSearch role associated with the backend role need the necessary permissions. If API request is not signed correctly with the IAM user's credentials, OpenSearch cannot identify the user and associate it with the backend role.
The OpenSearch role associated with this backend role is assigned cluster:monitor/* and unlimited cluster permissions. The API request is being generated via the python package requests_aws4auth v1.3.1 (the latest), and there is no failed-login appearing in the audit log as might be expected if the API request was not being signed correctly.
A workaround is to add a new master user ("Set IAM ARN as master user") with the IAM user's ARN. However, now this user is a master user, presumably with full admin access to the cluster.
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
This closed bug report seems similar https://github.com/opensearch-project/security/issues/1419 But the AWS docs list this as the first recommended configuration here https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-recommendations and so perhaps the recommended configuration does not work?
ok! may be you can try temporary credentials STS as this bypass the backend role mapping. if temp credentials via STS works then this suggest that the problem is with IAM user's permission or backend role mapping.
Here is the doc link: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html