By using AWS re:Post, you agree to the Terms of Use

Grant access to OpenSearch index


I created a domain in OpenSearch and I've set the Access policy like the following: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "es:", "Resource": "arn:aws:es:ca-central-1:xxxxxx:domain/xxxxx/*" } ] }

From what I understand I give access to all users but I am the only one who can browse the tab Indices in the console, my collegues get this error message:

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:monitor/stats] and User [name=arn:aws:iam::xxxx:user/users/xyuser, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:monitor/stats] and User [name=arn:aws:iam::xxx:user/users/xyuseri, backend_roles=[], requestedTenant=null]"},"status":403}

They also get the same error message trying to perform queries with the REST API

Please what am I missing?

asked 3 months ago161 views
1 Answers

Note that your Action is "es:" and not "es:" Add the "" to the Action section of your Access Policy.

Here is an example: The following resource-based policy grants test-user full access (es:*) to the subresources on test-domain:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/test-user" ] }, "Action": [ "es:" ], "Resource": "arn:aws:es:us-west-1:987654321098:domain/test-domain/" } ] }

answered 3 months ago
  • Hi Rick, thanks for your quick reply, I don'T know why the * was removed from my question but I do have "Action": "es:*"

  • see it won't paste ahh ;) I do have "Action": "es:star"

  • Change Principle to "Principal": "*"

  • Did this fix your issue?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions