By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Opensearch IP-based policies not working for some IPs

0

I deployed an opensearch domain for testing purposes on a public VPC. Configured an IP based access policy to allow access to the domain for me and another co-worker. Both of our IPs should be allowed to access the domain.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:564646946125:domain/test-domain/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "x.x.x.x/32",
            "y.y.y.y/32",          ]
        }
      }
    }
  ]
}

I can successfully access the domain by clicking its endpoint. However, my co-worker gets an error.

{"message":"Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=Basic NGRtMW46UDQkJHcwcmQ="}
Topics
ServerlessAnalyticsAWS Well-Architected FrameworkSecurity, Identity, & Compliance
Tags
Amazon OpenSearch ServiceSecurityIAM Policies
Language
English
rePost-User-6238222
asked a year ago835 views
1 Answer
0

It looks like your co-worker is getting an authorization error, which means their request is not being allowed by the IP-based access policy. One thing you can check is whether your co-worker's IP address is correct and within the CIDR range specified in the policy.

If the IP address is correct, you can try removing the "AWS" principal from the policy and specify the "Condition" block with the "IpAddress" field only. Here's an example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:564646946125:domain/test-domain/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "x.x.x.x/32",
            "y.y.y.y/32"
          ]
        }
      }
    }
  ]
}

Make sure to replace the IP addresses with the correct ones for you and your co-worker. Also, make sure that both of you are using the correct AWS access keys when making requests to the OpenSearch domain.

hash
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content