AWS OpenSearch Snapshot not allowed in ISM policy

Hello,

Encountering an “Authorization error” indicates the FGAC permissions are not sufficient for accessing the visual builder interface so double check the user has the appropriate permissions assigned.

The error message "You have actions that are not allowed in your policy [snapshot]" suggests that the snapshot action is not allowed in the ISM policy you are trying to create. Please review the ISM policy configuration and take into account the following restrictions when using the Security plugin:

• To perform snapshot and restore operations, users must have the built-in manage_snapshots role
• You can’t restore snapshots that contain a global state or the .opendistro_security index

More Information:

• Snapshots: https://opensearch.org/docs/latest/tuning-your-cluster/availability-and-recovery/snapshots/snapshot-restore
• Index State Management Policies: https://opensearch.org/docs/latest/im-plugin/ism/policies

Hello, Thanks for your reply. I am using the master user to perform this action, it has all cluster and index permissions. The problem is there whether I try to use the visual builder, JSON format from the console, or JSON using direct HTTP requests to OpenSearch.

I have another staging OpenSearch domain that has the exact same configurations, and I couldn't reproduce the issue there. The only difference between the two domains is that on the production domain, I enabled the FGAC before upgrading from ES to OpenSearch 2.11.