Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AuthorizationException(403, 'Forbidden')

0

We're currently facing challenges in granting the necessary permissions to your Lambda function to access Amazon OpenSearch Service serverless. Despite our efforts, we're encountering a persistent 403 error when attempting to index documents. Resolving these authorization issues is crucial for the Lambda function to operate as intended.

I can't correctly assign aoss:API AccessAll and aoss:Dashboards AccessAll permissions.

Topics
AnalyticsServerlessCompute
Tags
ServerlessAmazon OpenSearch ServiceAWS Lambda
Language
English
asked 2 years ago859 views
1 Answer
0

Hi,

The key part is the execution role of the Lambda: see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/quickref-lambda.html for a full CloudFormation template.

The key part for you is the execution role: replace below the auth for CloudWatch ('logs') with yours for OpenSearch ('aoss')

LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - logs:*
                Resource: arn:aws:logs:*:*:*

This page also will show you how to setup the various required AOSS policies: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-cfn.html

Best,

Didier

EXPERT
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content