By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Opensearch access issue

0

Hi

I've created test opensearch domain according to guide https://docs.aws.amazon.com/opensearch-service/latest/developerguide/gsgcreate-domain.html

It has Public access, fine grained access control with mster-user/password But when I try to connect to opensearch with those command

curl -XPOST -u 'my-mster-user:my-mster-password' 'https://search-wb-elk-xqfw2gbhc4ie6ormpmsf3gb7ae.us-east-2.es.amazonaws.com/_bulk' --data-binary @movies.json -H 'Content-Type: application/json'

I get

"Message":"User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"

Whereas I've setup everything by default like it is said in guide

What's the problem here?

here is my access policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "es:*", "Resource": "arn:aws:es:us-east-my-arn:domain/wb_elk/*" } ] }

Topics
ServerlessAnalytics
Tags
Amazon OpenSearch Service
Language
English
kirik
asked 2 years ago8823 views
3 Answers
1

Your access policy looks odd. I understand you redacted your own account ID, but can you please double check if it follows the pattern below:

"Resource": "arn:aws:es:xxxxxxxx:0123456789012:domain/xxxxxx/*"

In your original message you got "us-east-my-arn", which should be something like "us-east-1:account_id" (note the missing region identifier, and there should be an account_id and not an ARN).

AWS
Gustavo_F
answered 2 years ago
  • kirik
    2 years ago

    Hi

    here is my unredacted access policy

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "es:", "Resource": "arn:aws:es:us-east-2:924827564867:domain/wb_elk/*" } ] }

1

Hi,

in case you have not yet tried, please check this knowledge base article: "I get a "User: anonymous is not authorized" error when I try to access my Amazon OpenSearch Service cluster" it mentions also other possible causes / resolutions.

hope this helps

AWS
EXPERT
Fabrizio@AWS
answered 2 years ago
0

Your access policy looks alright, except for the missing asterisks - but I think this is due to the markdown formatting here.

One thing you might check is the security setting within OpenSearch. You can go to OpenSearch Plugins > Security and check if that user has the proper permissions. You can get more info in the documentation, but the idea is that you need to create an user (you probably already have it) and then grant to this user the appropriate permissions.

Also, I suggest editing your answer and redacting your AWS account ID: although not sensitive information, you should not share this unless necessary (otherwise others can use it to invoke

AWS
Gustavo_F
answered 2 years ago
  • kirik
    2 years ago

    Hi As I've get I open OpenSearch plugins through Dashboards interface. But I can't access Dashboards two. When I go to Dashboards link in my browser it also says "Message":"User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content