- Newest
- Most votes
- Most comments
I have created a role (TheSnapshotRole) and then logged into the opensearch dashboard -> security -> internal users -> (my admin user) -> Backend roles and added the TheSnapshotRole for the.
TheSnapshotRole is not to be assigned to the opensearch admin user. There are some subtle differences between opensearch user and AWS IAM user and policy assignments which sometimes creates confusion :)
Using this document as reference:
- You have created TheSnapshotRole which is fine (IAM role row in Prereq section)
- Assign the policies mentioned in the Permissions row of the Prereq section of the document to an non-admin IAM user. Better to create an IAM user specific for this purpose on the basis of providing least privileges since it would be used in the next step. (The document states you can use a role ARN also but I have not tried that so I stick with recommending IAM user)
- Specify this IAM user's ARN (user created in previous step) in Opensearch dashboard -> security -> Roles -> manage_snapshots -> Mapped users -> Manage Mapping -> Users section.
- Make necessary substitutions to the python script and run the script with AWS creds of IAM user created in previous step to register the S3 repository
- You have an admin Opensearch user which you use to login to Opensearch dashboard and manage creation of snapshots (actuals backups) but this user to not user to create the S3 repository for snapshots
--Syd
Thanks a lot, Im lucky to find this post !
The 3. point is important, paste the ARN "arn:aws:iam::90****:user/***" as user succeeded, failed by using internal username.
Hi guys, after two days struggling with manual opensearch snapshot i found your post, i recreated the procedure without success.
This is what Im doing:
-
Create TheSnapshotRole:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::yyy-opensearch-snapshots" ] }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::yyy-opensearch-snapshots/*" ] } ] } -
The TheSnapshotRole Trust relationship:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "es.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
I created an IAM user (snapuser), and attach it this policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::yyy:role/TheSnapshotRole" }, { "Effect": "Allow", "Action": "es:ESHttpPut", "Resource": "arn:aws:es:us-east-2:yyy:domain/opensearch-yyy/*" } ] } -
In Opensearch console Security - Roles, I created a new role with this permissions:
cluster:admin/snapshot/create cluster:admin/snapshot/get cluster:admin/snapshot/status cluster:admin/snapshot/delete cluster:admin/repository/delete cluster:admin/repository/get cluster:admin/repository/put cluster:admin/repository/verify -
Enter Roles - Mapped Users, and add to backend roles, mi created IAM user (snapuser) ARN: arn:aws:iam::yyy:user/snapuser
-
Try to create the repository through python script and authenticating with the created user (snapuser) and AWS credetials and get this error:
{ "error":{ "root_cause":[ { "type":"security_exception", "reason":"*no permissions for [cluster:admin/repository/put] and User [name=arn:aws:iam::yyy:user/snapuser*, backend_roles=[], requestedTenant=null]" } ], "type":"security_exception", "reason":"*no permissions for [cluster:admin/repository/put] and User [name=arn:aws:iam::yyy:user/snapuser*, backend_roles=[], requestedTenant=null]" }, "status":403 }
Any idea?
Relevant content
- asked 3 years ago
- asked a year ago
- asked 3 months ago
- AWS OFFICIALUpdated 2 months ago
