By using AWS re:Post, you agree to the AWS re:Post Terms of Use

After Opensearch Upgrade get "Missing role" error when trying to signin using Cognito

0

We have multiple AWS accounts, each with Cognito and Opensearch Service. One of them is still working, the other two can no longer be accessed after upgrading Opensearch past version 2.9. When trying to login, I get the "Missing Role" error. It was working before and nothing was changed. All 3 accounts are managed by Terraform and have the identical configuration.

In Opensearch Fine-Grained Access has been enabled and the Master User IAM ARN is set to the same ARN that is configured as IAM Role ARN in the Cognito Group.

I had this error in the past after upgrading, usually it was enough to use edit the Opensearch domain and paste the IAM Role ARN from the Cognito Group again, but since Version 2.10 and higher, this no longer works. I always get the "Missing Role" error.

Did anything change between Opensearch 2.9 and 2.10? Since then I haven't gotten it to work again, even the latest version 2.17 still has this bug for me.

1 Answer
0

Finally found that, the webinterface is bugged and the master user ARN can not be set using the webinterface. Have to use the CLI command

aws opensearch update-domain-config \
    --domain-name my-opensearch-domain \
    --advanced-security-options file://options.json

with something like this in options.json

{
    "MasterUserOptions": {
        "MasterUserARN": "arn:aws:iam::123456789012:user/MasterUser"
    }
}

Then it works.

answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions