- Newest
- Most votes
- Most comments
I tried replicating internally using CDK with almost similar code in Python and was able to access the dashboard with credentials saved in secrets manager. Please find below sample code.
let OSS_USERNAME='admin'
let PASSWORD_FIELD='es.net.http.auth.pass'
const secret = new secretsmanager.Secret(
this,
'domain-creds', {
generateSecretString : {
secretStringTemplate: JSON.stringify({"es.net.http.auth.user": OSS_USERNAME}),
generateStringKey: PASSWORD_FIELD
},
}
)
const domain = new opensearchservice.Domain(this , 'domain',{
version: opensearchservice.EngineVersion.OPENSEARCH_2_5,
ebs: {
volumeSize: 300,
volumeType: ec2.EbsDeviceVolumeType.GP3,
},
nodeToNodeEncryption: true,
encryptionAtRest: {
enabled: true,
},
enforceHttps: true,
fineGrainedAccessControl : {
masterUserName: OSS_USERNAME,
masterUserPassword : secret.secretValueFromJson(PASSWORD_FIELD)
}
})
Here is the sample Cloudformation template which create FGAC enabled domain for you and fetch master username and password from AWS Secrets manager in case it is helpful for you. Kindly make the necessary changes as per your requirements and organizational security policies.
{
"Resources": {
"OS": {
"Type": "AWS::OpenSearchService::Domain",
"Properties": {
"DomainName": "<domain name>",
"EngineVersion": "Elasticsearch_7.10",
"ClusterConfig": {
"DedicatedMasterEnabled": true,
"InstanceCount": "1",
"ZoneAwarenessEnabled": false,
"InstanceType": "t3.small.search",
"DedicatedMasterType": "t3.small.search",
"DedicatedMasterCount": "3"
},
"EBSOptions": {
"EBSEnabled": true,
"Iops": "0",
"VolumeSize": "20",
"VolumeType": "gp2"
},
"AdvancedSecurityOptions": {
"Enabled": true,
"InternalUserDatabaseEnabled": true,
"MasterUserOptions": {
"MasterUserName": "{{resolve:secretsmanager:******:SecretString:username}}",
"MasterUserPassword": "{{resolve:secretsmanager:*******:SecretString:password}}"
}
},
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:<AWS account id>:domain/<domain name>/*",
"Condition": {
"IpAddress": {
<Add IP address as per your requriments>
}
}
}
]
},
"AdvancedOptions": {
"rest.action.multi.allow_explicit_index": true,
"override_main_response_version": true
},
"EncryptionAtRestOptions": {
"Enabled": true
},
"NodeToNodeEncryptionOptions": {
"Enabled": true
},
"DomainEndpointOptions": {
"EnforceHTTPS": true
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a****"
}
}
}
}
}
I kindly request you to try above mentioned code in CDK once. If issue still persists, then in order to dive deep into issue, we require details that are non-public information. Please open a support case with AWS using reference[1].
I also request you to check the Cloudformation template shared above in case it is useful for you.
Reference:
[1] https://console.aws.amazon.com/support/home#/case/create
Relevant content
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago