I want to create a manual snapshot of our OpenSearch domain.
I used this article for that.
- Created bucket: elk-snapshots-mycompany-1 (arn:aws:s3:::elk-snapshots-mycompany-1)
- Created access role for this bucket: s3-elk-snapshots-access (arn:aws:iam::112233445566:role/s3-elk-snapshots-access) with es.amazonaws.com entity
- Created access role for es:ESHttpPut to my OpenSearch domain and described above PassRole with ec2.amazonaws.com entity
elk-snapshots (arn:aws:iam::112233445566:role/elk-snapshots)
- Attached elk-snapshots to the EC2 instances that running at the same region as OpenSearch domain
- Our domain uses fine-grained access control, so I added to arn:aws:iam::112233445566:role/elk-snapshots to manage_snapshots roles in Kibana
- Install pyhton3, requests and requests-aws4auth libs and start the script mentioned in the article above.
I got the following error:
500
{"error":{"root_cause":[{"type":"repository_verification_exception","reason":"[s3-manual] path is not accessible on master node"}],"type":"repository_verification_exception","reason":"[s3-manual] path is not accessible on master node","caused_by":{"type":"i_o_exception","reason":"Unable to upload object [tests-oENHme5iSL6nLJr-aUNZ4A/master.dat] using a single upload","caused_by":{"type":"amazon_s3_exception","reason":"Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: X7X48KRM4YNRBNM1; S3 Extended Request ID: umFBa+PTbhEbRZlG7Y8jvU+8wmUNOL9GbZQzYyIljmmpkCtXfOrDChVAoHmWDKFLxVvbOm+9mTs=)"}}},"status":500}
After that I was setup the cloudtrail service and found the sample of error access:
{"eventVersion":"1.08","userIdentity":{"type":"AssumedRole","principalId":"AROA2UHKJHDPMDZ4ZPZTG:cloudsearch-snapshot","arn":"arn:aws:sts::112233445566:assumed-role/s3-elk-snapshots-access/cloudsearch-snapshot","accountId":"112233445566","accessKeyId":"ASIA2UHKJHDPBWZRKLQO","sessionContext":{"sessionIssuer":{"type":"Role","principalId":"AROA2UHKJHDPMDZ4ZPZTG","arn":"arn:aws:iam::112233445566:role/s3-elk-snapshots-access","accountId":"112233445566","userName":"s3-elk-snapshots-access"},"attributes":{"creationDate":"2023-07-04T19:17:45Z","mfaAuthenticated":"false"}},"invokedBy":"es.amazonaws.com"},"eventTime":"2023-07-04T19:28:16Z","eventSource":"s3.amazonaws.com","eventName":"PutObject","awsRegion":"eu-central-1","sourceIPAddress":"es.amazonaws.com","userAgent":"es.amazonaws.com","errorCode":"AccessDenied","errorMessage":"Access Denied","requestParameters":{"bucketName":"elk-snapshots-mycompany-1","Host":"elk-snapshots-mycompany-1.s3.eu-central-1.amazonaws.com","x-amz-acl":"private","key":"tests-ZQ3DPKFLQGOgBfNNvmQplQ/master.dat","x-amz-storage-class":"STANDARD"},"responseElements":null,"additionalEventData":{"SignatureVersion":"SigV4","aclRequired":"Yes","CipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","bytesTransferredIn":0,"AuthenticationMethod":"AuthHeader","x-amz-id-2":"e3+3jACTWfehOwcpvO+KeNF1QJd0x5mE4fN9a3t6ADYFpusynRSAgoLtEp2HS1iBeyooVLy86ihnQ+VjRdinBw==","bytesTransferredOut":255},"requestID":"SPFKDSP7SVG1E4EW","eventID":"4d1bc948-d25c-4b71-966f-310fec953a3b","readOnly":false,"resources":[{"type":"AWS::S3::Object","ARN":"arn:aws:s3:::elk-snapshots-mycompany-1/tests-ZQ3DPKFLQGOgBfNNvmQplQ/master.dat"},{"accountId":"112233445566","type":"AWS::S3::Bucket","ARN":"arn:aws:s3:::elk-snapshots-mycompany-1"}],"eventType":"AwsApiCall","managementEvent":false,"recipientAccountId":"112233445566","eventCategory":"Data"}
I also read this arcticle
And added "server_side_encryption": "true" setting, but it didn't help.
If you give me any idea I will be very grateful
I believe yes. I also checked this role on AWS policy simulator. And granted access. I don't know that does it mean:
/cloudsearch-snapshot
As I understoodarn:aws:sts::112233445566:assumed-role
pointed that role was assumed successfully.The policy properties: arn:aws:iam::112233445566:role/s3-elk-snapshots-access Permissions:
Trust relationships:
Where can I show it?