By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Opensearch Serverless Resource throwing a 403 forbidden error

0

I'm trying to provide minimum permissions to my opensearch serverless collection.

I have everything working with the resource set to "*". However, when I try narrow this down i'm getting errors.

Below is an example of my IAM role statements (working example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - "*"

Here is the IAM role statements (breaking example).

        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id*
Topics
ServerlessComputeSecurity, Identity, & ComplianceAnalyticsDatabase
Tags
AWS LambdaIAM PoliciesAmazon OpenSearch Serverless
Language
English
pabs
asked 10 months ago1196 views
1 Answer
2
Accepted Answer

If the action is set to "aoss:*", then APIs with resource types other than "Collection" will also be restricted, resulting in an error.
The table below shows that only three resource types "Collection" can be set: "APIAccessAll", "DeleteCollection" and "UpdateCollection".
For APIs other than the above, setting the resource type to "Collection" will result in an error.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html#amazonopensearchserverless-actions-as-permissions

profile picture
EXPERT
Riku_Kobayashi
answered 10 months ago
profile pictureAWS
EXPERT
Jonathan_D
reviewed 9 months ago
  • Riku_Kobayashi EXPERT
    10 months ago

    So I would make the following policy.

            iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
                  - aoss:DeleteCollection
                  - aoss:UpdateCollection
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:region:account-id:dashboards/default
            - Effect: Allow
              Action:
                 - aoss:*
              Resource:
                 - "*"
  • pabs
    10 months ago

    So does:

    Resource: 
    - "*"

    need to remain for "aoss:*", or can this be narrowed down to a specific index? Apologies if this is a silly question, just wanted to double check.

  • Riku_Kobayashi EXPERT
    10 months ago

    As far as I can see from the documentation, only the policy I described can narrow down the resource type. So, if you want to allow "aoss:* ", the resource type must be " * ".

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content