- Newest
- Most votes
- Most comments
It appears that you're encountering a permissions issue when trying to create manual snapshots for your OpenSearch cluster. Based on the error message, the main problem is that the user "snapuser" doesn't have the necessary permissions to perform the "cluster:admin/repository/put" action. Here are some steps to troubleshoot and potentially resolve this issue:
-
Double-check the IAM role (TheSnapshotRole) and its trust relationship. These appear to be set up correctly based on the information provided.
-
Verify that the S3 bucket "yyyyy-opensearch-snapshots" exists and is accessible.
-
Ensure that the OpenSearch domain is configured to use the IAM role for snapshot management. You may need to associate the role with your OpenSearch domain in the AWS console.
-
Review the IAM user (snapuser) policy. While it includes the necessary "iam:PassRole" and "es:ESHttpPut" permissions, you might want to consider adding more granular permissions for snapshot-related actions.
-
In the OpenSearch console, under Security - Roles, make sure the role you created is actually assigned to the snapuser. Creating the role alone is not enough; it needs to be mapped to the user.
-
Check if there are any conflicting policies or permissions that might be overriding the ones you've set.
-
Verify that the backend roles mapping is correct. The error message shows empty backend roles, which suggests the mapping might not be working as expected.
-
Try using the AWS CLI or SDK to register the snapshot repository instead of a Python script, to rule out any issues with the script itself.
-
If possible, temporarily grant broader permissions to the snapuser to see if it resolves the issue. This can help isolate whether it's a specific permission causing the problem.
-
Check the OpenSearch Service domain's access policy to ensure it allows the necessary actions from your IAM user.
If these steps don't resolve the issue, you may need to review the entire permission chain from the IAM user through to the OpenSearch cluster and S3 bucket to identify any gaps or conflicts in the permissions.
Sources
Troubleshoot long-running or stuck snapshots in OpenSearch Service | AWS re:Post
Taking manual snapshots - Amazon OpenSearch Service
Creating index snapshots in Amazon OpenSearch Service - Amazon OpenSearch Service
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago