- Newest
- Most votes
- Most comments
Have you included the IAM user as a principal of the Open Search Domain Access Policy? https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource
From https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-access-policies
Domain access policy The second security layer is the domain access policy. After a request reaches a domain endpoint, the resource-based access policy allows or denies the request access to a given URI. The access policy accepts or rejects requests at the "edge" of the domain, before they reach OpenSearch itself. .
Not explicitly. Do I need to do that? When I look at my policy, it appears that it is open to any user defined to AWS through my ec2 instance. Am I misinterpreting the wildcard?
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "es:", "Resource": "arn:aws:es:us-east-1:507656403261:domain/rampart-test-opensearch/*" } ] }
Looking at your policy, it looks like the Principal is set to "" which is not valid and the Actions has not been specified correctly. The following should scope the policy to any IAM identity in the same account and will provide both read/write access. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::507656403261:root" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-1:507656403261:domain/rampart-test-opensearch/*" } ] }
If you want to scope it to your EC2 IAM user, replace the principal with arn:aws:iam::507656403261:user/OpenSearchUser
I have an EC2 instance, NiFi 3.2. On this EC2 instance I run Apache NiFi. This EC2 instance has IAM Role rampart-nifi-ec2. IAM Role rampart-nifi-ec2 is granted three Permissions policies: .....AmazonOpenSearchServiceCognitoAccess, which I am not currently using for anything .....AmazonOpenSearchServiceFullAccess .....AmazonS3FullAccess
Policy AmazonOpenSearchServiceFullAccess associates with two entities: .....User OpenSearchUser .....Role rampart-nifi-ec2
I created user OpenSearchUser as a User in AWS. I generated an Access key and a Secret key for it.
I did this because I wanted a key pair for a user to test my PUT and GET access to Amazon OpenSearch from my EC2. After that test my eventual use case is to submit the curls from ExecuteStreamCommand within my NiFi flows, and that appears to require the key pair.
Relevant content
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Do you have an IAM role attached to your EC2 server or are you manually configuring an IAM user and access keys?
What is the IAM permission attached to the IAM user/role?