By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

User: anonymous is not authorized to perform: es:ESHttpPost

0

Hello,

I used to have an ElasticSearchService instance (t2.micro.search) set up to enable a search functionality for an app hosted on Heroku. It was working fine, but recently timeout errors became frequent. I signed into the AWS console to see if there is any information. First there was a message that the instance should be upgraded. I tried to upgrade but the only option I could see was t2.micro.search (or other previous generation instances). The second message was to update the service software, so I tried that. After 2 days the update is still not completed. It is stuck at one of the steps and doesn't move forward.

In the meantime, I tried to set up a new instance (t3.small.search) using the same settings as the previous one. However, when I tried to build the index from Heroku, I got this error: TransportError(403, '{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost with an explicit deny in a resource-based policy"}'

I realized my access policy has "Deny" instead of "Allow" I had before:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:000000000000:domain/my-domain/*"
    }
  ]
}

I tried to change it to "Allow" but the console would not allow me to save the settings ("Apply a restrictive access policy to your domain").

Does somebody know how to set up the access policy so I can continue to use AWS OpenSearch for a Heroku app?

Topics
Security, Identity, & ComplianceManagement & GovernanceServerlessAnalytics
Tags
AWS Identity and Access ManagementAWS Management ConsoleAmazon OpenSearch Service
Language
English
ap
asked a year ago4561 views
1 Answer
0

Check by setting the Type to IPv4, Action to allow and add your IP and the App's IP in the Principal.

profile picture
Syd
answered a year ago
  • ap
    a year ago

    Thank you, Syd. Do you have a working access policy that you could share? What did you enter as IP for a Heroku app?

  • Syd
    a year ago

    I dont have any information about the IP you can use for Heroku. It seems that Heroku app IPs are dynamic. You can check if they provide you any static IP as outlined here - https://help.heroku.com/JS13Y78I/i-need-to-add-heroku-dynos-to-our-allowlist-what-are-ip-address-ranges-in-use-at-heroku

  • Syd
    a year ago

    Changing Deny to Allow in the policy you shared above also works for me on opensearch 2.5

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "es:", "Resource": "<OPENSEARCH_ARN>" } ] }

  • ap
    a year ago

    Your are correct about Heroku. It is interesting you mention it works for you with opensearch 2.5. Have you activated fine-grained access control? I am on elasticsearch version for which this option is not available. If you say it works with fine-grained access control turned on, then I will try upgrading elasticsearch to a version for which this setting is available.

  • Syd
    a year ago

    Yes I tested with fine grained access enabled and on version 2.5 of opensearch. Which version of elasticsearch are you using?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content