Parameter substitution in OpenSearch Document-level security

Hello,

Thank you for reaching out to AWS re:Post with you inquiry.

You have reached out due to the fact that the AWS OpenSearch Service for "Document-level security" links to the AWS OpenSearch documentation, which includes Parameter Substitution. The possible 'type' values for parameter substitution are internal, jwt, proxy or ldap. You are seeking further guidance on your use-case of currently using a self-hosted AWS OpenSearch Service where you've been able to send in custom fields for parameter substitution using the proxy type by adding headers to the proxied requests, if It is possible to do this on AWS-hosted and Managed OpenSearch Service.

Please do feel free to correct me if I have misunderstood you concerns in any way whatsoever.

GUIDANCE:

1. After fully testing each of the attribute replacement TYPEs (internal, jwt, proxy and ldap), it has been verified that none of them are functional within AWS Managed OpenSearch Service.

2. Through further investigation, it has been found that JWT token authentication is not supported with Managed Amazon OpenSearch service. Note: I would like to share with you that there is an existing feature request to bring this functionality in just as we see it in the open source version. No ETA is currently provided on when this feature will be provided by the OpenSearch Service Team.

3. Any workarounds:

• The only reference to any workaround includes using the OpenDistro for ElasticSearch. Not a managed service unfortunately. [+]: https://aws.amazon.com/blogs/opensource/json-web-tokens-jwt-authenticate-open-distro-for-elasticsearch-kibana/

I hope the above guidance is insightful. Please do let me know if you have any further questions.

Thanks and have a great day!