OPENSEARCH CREATION

Question

HI! I have this project on terraform where I need to create an assumerole and assign it with permission/policy that can spin up and spin down Opensearch. I tried to do it first in AWS console manually so I can understand the concept and I selected Opensearch Service on full-access but I can't still create the Opensearch Domain, it just load endlessly but when I assigned AdminAccess to the IAM user it created the domain instantly.

I would like to ask if what other services do I need to allow in order to successfully create the Opensearch Domain without Admin access?

Viktor Ardelean · Answer

If you want more granular access control, you should create a custom policy and allow the following actions: **es:CreateDomain**, **es:DeleteDomain**, **es:UpgradeDomain**, **es:UpdateDomainConfig**, **es:UpgradePackage**

If need an Amazon OpenSearch Service domain that uses VPC access, you additionally would need **es:CreateServiceRole**, **es:CreateVpcEndpoint**, **es:AuthorizeVpcEndpointAccess**, **es:DeleteVpcEndpoint**, **es:DeleteElasticsearchServiceRole**

Raphael · Answer

This really depends on what you want to configure as part of the creation. For OpenSearch, I'd start with the [service reference](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html) for the list of actions and how they can be controlled. If you don't want to be that granluar, you can use the [`AmazonOpenSearchServiceFullAccess`](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AmazonOpenSearchServiceFullAccess) managed policy which grants full access to the service (`es:*`).

OPENSEARCH CREATION

Add your answer

Relevant content