By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to set up IAM role to access AWS OpenSearch Service domain through terraform

0

I have an OpenSearch domain deployed in AWS and want to manage it through Terraform provider. I have the following provider block. How do I set up an IAM role that can be used to access this domain through Terraform?

provider "opensearch" {
  aws_region = "<region>"
  aws_profile = "<profile>"
  healthcheck = true
  url = "<domain_url>"
  sign_aws_requests = false
  aws_assume_role_arn = "<role_arn>"
}

I have tried by creating a role with the following trust policy and admin privileges, and added this role to the provider.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "es.amazonaws.com",
                "AWS": "arn:aws:iam::<account_no>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

But this does not work and gives me │ Error: elastic: Error 401 (Unauthorized) when I do terraform apply.

Topics
ServerlessAnalyticsSecurity, Identity, & Compliance
Tags
Amazon OpenSearch ServiceIAM PoliciesTerraform
Language
English
Mihir Gosai
asked 6 months ago844 views
2 Answers
0

You can use the AWS Policy generator - https://awspolicygen.s3.amazonaws.com/policygen.html. Choose IAM policy and add the relevant information in order to create the policy.

profile pictureAWS
SUPPORT ENGINEER
Ravid_G
answered 6 months ago
0

There are a few things you can check:

  1. Ensure that the user or role associated with the aws_profile set in your provider has sts:AssumeRole permission on the role you created.
  2. The provider configuration you posted is explicitly disabling signing of AWS requests. This setting is intended for using HTTP Basic Auth. I recommend configuring your opensearch provider with sign_aws_requests = true for use with IAM authentication.
  3. If you have Fine-Grained Access Control enabled and the role you are using is not set as the master user, you may need to add a role mapping for the role you are trying to use.
profile pictureAWS
Sean Nixon
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content