By using AWS re:Post, you agree to the Terms of Use

Opensearch access issue

0

Hi

I've created test opensearch domain according to guide https://docs.aws.amazon.com/opensearch-service/latest/developerguide/gsgcreate-domain.html

It has Public access, fine grained access control with mster-user/password But when I try to connect to opensearch with those command

curl -XPOST -u 'my-mster-user:my-mster-password' 'https://search-wb-elk-xqfw2gbhc4ie6ormpmsf3gb7ae.us-east-2.es.amazonaws.com/_bulk' --data-binary @movies.json -H 'Content-Type: application/json'

I get

"Message":"User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"

Whereas I've setup everything by default like it is said in guide

What's the problem here?

here is my access policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-my-arn:domain/wb_elk/*" } ] }

asked 6 months ago883 views
3 Answers
0

Your access policy looks odd. I understand you redacted your own account ID, but can you please double check if it follows the pattern below:

"Resource": "arn:aws:es:xxxxxxxx:0123456789012:domain/xxxxxx/*"

In your original message you got "us-east-my-arn", which should be something like "us-east-1:account_id" (note the missing region identifier, and there should be an account_id and not an ARN).

answered 6 months ago
  • Hi

    here is my unredacted access policy

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "es:", "Resource": "arn:aws:es:us-east-2:924827564867:domain/wb_elk/*" } ] }

0

Your access policy looks alright, except for the missing asterisks - but I think this is due to the markdown formatting here.

One thing you might check is the security setting within OpenSearch. You can go to OpenSearch Plugins > Security and check if that user has the proper permissions. You can get more info in the documentation, but the idea is that you need to create an user (you probably already have it) and then grant to this user the appropriate permissions.

Also, I suggest editing your answer and redacting your AWS account ID: although not sensitive information, you should not share this unless necessary (otherwise others can use it to invoke

answered 6 months ago
  • Hi As I've get I open OpenSearch plugins through Dashboards interface. But I can't access Dashboards two. When I go to Dashboards link in my browser it also says "Message":"User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"

0

Hi,

in case you have not yet tried, please check this knowledge base article: "I get a "User: anonymous is not authorized" error when I try to access my Amazon OpenSearch Service cluster" it mentions also other possible causes / resolutions.

hope this helps

EXPERT
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions