I've set up OpenSearch Serverless with Network access = Public, and a Kinesis Data Firehose delivery stream that delivers to it. I've then edited the data access policy and tried a lot of different things, granting
index/*/* | index | aoss:*
to the Firehose IAM name. I've tried both selecting the IAM role from the dropdown ("arn:aws:iam::<account_id>:role/service-role/<IAM_role_name>") and copying the syntax from the tutorial ("arn:aws:sts::<account_id>:assumed-role/<IAM_role_name>/*").
When I use the "test with demo data" on Kinesis Firehose, I end up with the following errors:
"message": "Error received from the Amazon OpenSearch Service cluster or OpenSearch Serverless collection. If the cluster or collection is behind a VPC, ensure network configuration allows connectivity. {"status":403,"request-id":"32af50b5-152a-931a-9e96-688f91bb34d1","error":{"reason":"403 Forbidden","type":"Forbidden"}}",
"errorCode": "OS.ServiceException"
"message": "Authentication/authorization error during attempt to deliver data to destination ES/OS cluster. This can happen due to any permission issues and/or intermittently when your firehose target ES/OS domain configuration is modified. Please check the cluster policy and role permissions.",
"errorCode": ""