By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Permission problem with OpenSearch to Athena connector

0

Hello, I followed this guide to setup a connector between OpenSearch and Athena. But I cannot seem to be able to read OpenSearch correctly.

At first the error message was:

Failed to get tables names from lambda function due to com.amazonaws.services.lambda.invoke.LambdaFunctionException: Elasticsearch exception [type=security_exception, reason=no permissions for [indices:admin/aliases/get] and User [name=arn:aws:iam::123456789:role/serverlessrepo-AthenaElasticse-ConnectorConfigRole-1HS18LEQVB05Q, backend_roles=[arn:aws:iam::876152107473:role/serverlessrepo-AthenaElasticse-ConnectorConfigRole-1HS18LEQVB05Q], requestedTenant=null]]

While I was trying to figure it out the error changed to

Failed to get tables names from lambda function due to com.amazonaws.services.lambda.invoke.LambdaFunctionException: method [HEAD], host [https://xxxxxxxxx.me-south-1.es.amazonaws.com], URI [/], status line [HTTP/1.1 403 Forbidden]

I tried to change the lambda role to include the AmazonOpenSearchServiceFullAccess policy, but it didn't change anything.

Note that I can actually see the Data source and I can list all the Databases, but not the tables. Everythin is in the same account and region. What did I miss?

Topics
AnalyticsServerlessComputeSecurity, Identity, & Compliance
Tags
Amazon AthenaAWS LambdaAWS Identity and Access ManagementAmazon OpenSearch ServiceIAM Policies
Language
English
lorek-naviparking
asked 9 months ago287 views
1 Answer
1
Accepted Answer

Hello,

Thank you for bringing the query.

From the error given above, there could be a possibility that the Lambda role is not mapped with the "all_access" backend roles in OpenSearch. [1] Could you please confirm the same? In case it is not, I would suggest you to try the following steps:

To find lambda execution role please navigate to path:

Lambda Console > Applications > serverlessrepo-AthenaElasticsearchConnector > Under resources, open ConnectorConfig > it will navigate to lambda function(then click on configuration) > permissions > under Execution role(you will see a role attached to function)

Now, to map lambda role to "all_access " backend roles in OpenSearch dashboard please navigate to below path:

Open search Dashboard > Menu > Security > Roles > click on ‘all_access’ role > Click on Mapped users > Manage mapping > Under Backend roles please add the lambda role ARN > map

Then try looking for the tables again on Athena console. Also, please make sure you are using the latest version of the connector.

In case this doesn’t help, I would recommend you to reach out to AWS Support Engineering via a support ticket to further troubleshoot the issue.

Thank you!

References: [1] https://opensearch.org/docs/latest/security/access-control/users-roles/

AWS
SUPPORT ENGINEER
rePost-User-0573738
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content