Getting 403 when trying to set/update index settings with CURL

Question

I have setup a collection, a role for an ECS task  that grants aoss:APIAccessAll  to the collection to the task, and a data access policy that grants all aoss perms to the task role, and a network access policy. I then grab a command line shell on the task container using ecs execute command, set the the appropriate IAM auth variables/tokens/secrets  and then attmept to use curl to create an index.

First attempt at creating an index and setting index settings during creation.  It fails with a 403 Forbidden.

bash-5.2# curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -XPUT --json '{  \"settings\": {     \"index.max_result_window\" : \"1000000\"  }}' "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2"
{"status":403,"request-id":"9f9c5b03-5fb0-97d4-94ae-496f9d896ab7","error":{"reason":"403 Forbidden","type":"Forbidden"}}

Second attempt at creation w/o any settings. It succeeds with a 200.

bash-5.2# curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -XPUT  "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2"
{"acknowledged":true,"shards_acknowledged":true,"index":"dn_scottdnrm_sf2"}

So notice in my first attempt I try to set some index settings during creation  and I get 403 forbidden .  But it I try w/o setting any index setting it is successful. That does not make sense.

Then I try to user  update the settings REST API  after I create the index and I still get a 403.

bash-5.2# curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -XPUT --json '{  \"index\": { \"max_result_window\" : \"1000000\"  }}' "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2/_settings"
{"status":403,"request-id":"6c1f6043-c308-9e2a-b2fa-c909aa1e3f2d","error":{"reason":"403 Forbidden","type":"Forbidden"}}

I am able to query the index settings:
bash-5.2# curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -XGET "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2/_settings"
{"dn_scottdnrm_sf2":{"settings":{"index":{"number_of_shards":"2","number_of_replicas":"0","uuid":"mmOH5ooB5JD2sfGgAXJJ","version":{"created":"135217827"},"provided_name":"dn_scottdnrm_sf2"}}}}

Why am I getting 403 errors trying to set/update index settings?

Accepted Answer

So my problem ended being that I was not including the x-amz-content-sha256 header in my curl command. I mistakenly thought that CURL would add it when I used the --aws-sigv4 flag.

So the following ended up working:

$ PAYLOAD='{ "settings": { "index": { "max_result_window" : 1000000 }}}'

$ SHA256_PAYLOAD=$(echo -n "$PAYLOAD" | openssl dgst -sha256)

$ curl  --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "Content-Type: application/json" -H "x-amz-content-sha256:

$SHA256_PAYLOAD" -X PUT "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2" -d "$PAYLOAD"

Answer

Hello,

Based on information shared, you are getting AccessDenied errors when append the --json to curl command. Please check CloudTrail events for any errors with respect to "aoss" service and it will give you more details about the exact AccessDenied error and confirms whether it is actually hitting the API correctly.

[+] Cloudtrail: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html

[+] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/logging-using-cloudtrail.html

[+] https://docs.aws.amazon.com/opensearch-service/latest/ServerlessAPIReference/API_Operations.html

I have also searched about the curl command option to use PUT method and it must use a whitespace between -X and PUT, like "-X PUT" but where as in your execution without whitespace. Please try execute below formatted commands and refer the curl manual page for more information.

[+] https://curl.se/docs/manpage.html

[+] https://reqbin.com/req/c-d4os3720/curl-put-example

```
curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -X PUT  "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2"  --json '{ "settings": { "index.max_result_window" : "1000000" }}'

curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -X PUT  "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2/_settings" --json '{ "index": { "max_result_window" : "1000000" }}'
```

If above one is not working try explicitly mentioning the content type in curl command like below.

```
curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -X PUT  "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2"  -H "Content-Type: application/json" -d  '{ "settings": { "index.max_result_window" : "1000000" }}'

curl --user "$aws_access_key:$aws_secret_key" --aws-sigv4 "aws:amz:us-east-1:aoss" -H "x-amz-security-token: $aws_session_token" -X PUT  "$OPENSEARCH_ENDPOINT/dn_scottdnrm_sf2/_settings"  -H "Content-Type: application/json" -d  '{ "index": { "max_result_window" : "1000000" }}'
```

In case, if you still encounter the issue, please share the verbose output by adding "-vvv" suffix to the above curl commands.

Thank you.

Getting 403 when trying to set/update index settings with CURL

Relevant content