Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to pass role ml_full_access in AWS Opensearch

0

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.19 OpenSearch_2_19_R20250630-P4 (latest) ap-southeast-3

Describe the issue: I followed the documentation in opensearch semantic-search-bedrock-cohere with the same policies and trust. But when I tried to predict the model using the dev tools based on the end of step 4 it gave me a forbidden error as follow: Authorization error during prediction: User: [REDACTED-USER-ARN] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<my-account-id>:role/opensearch-bedrock-role (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: *******; Proxy: null

I have quadruple check that my configuration is correct and points to the right resource arn and had put the connector role to ml_full_access backend role.

I also had tried using a fresh opensearch domain in AWS which yielded the same result.

My hypothesis is, for whatever reason, the opensearch does not want to use the bedrock role. Even though the passrole is fully functional since I can create the connector with the bedrock-role arn credential in the payload. Another thing to note, that I had managed to get this worked few weeks ago, but then suddenly unable after I updated version to latest.

Configuration: I have 2 roles for this opensearch-bedrock-connector-role and opensearch-bedrock-role

  • opensearch-bedrock-connector-role, has permission iam:PassRole towards opensearch-bedrock-role as well as es:ESHttpPost to the arn of my opensearch domain. The trust policy is using my own IAM user arn which has administrator privilege to assume the role.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<account-id>:role/opensearch-bedrock-role"
        },
        {
            "Effect": "Allow",
            "Action": "es:HttpPost",
            "Resource": "arn:aws:es:ap-southeast-3:<account-id>:domain/rag-search"
        }
    ]
}
  • opensearch-bedrock-role, has permission to invoke any bedrock foundation model. it has the trust policy as follows
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "es.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

Relevant Logs or Screenshots:

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon OpenSearch Service
Language
English
asked a year ago176 views
2 Answers
0
Accepted Answer

After paying for the support and waiting for a week, they gave me an answer. Turns out I had to change the trust policy to es.ap-southeast-3.amazonaws.com which was not in any documentation. I really hope they update this.

answered 10 months ago
-1

To resolve the "Authorization error during prediction" issue with the ml_full_access role in Amazon OpenSearch Service, there are several key steps to check:

  1. Verify Backend Role Mapping: Ensure that you've properly mapped the IAM role to the ml_full_access role in OpenSearch Dashboards:
  • Navigate to OpenSearch Dashboards for your domain
  • Go to Security > Roles > ml_full_access
  • Select Mapped users > Manage mapping
  • Under Backend roles, add the ARN of your role (opensearch-bedrock-connector-role)
  • Confirm the role appears under Mapped users

  1. Check Trust Relationships: The trust policy for opensearch-bedrock-role must allow es.amazonaws.com as a service principal to assume the role, which you've already configured correctly.

  2. IAM Permissions: Ensure your opensearch-bedrock-connector-role has:

  • iam:PassRole permissions for the opensearch-bedrock-role
  • es:ESHttpPost permissions for your OpenSearch domain
  1. Role Chain Verification: When using multiple roles, ensure the chain of trust is properly established:
  • Your user can assume opensearch-bedrock-connector-role
  • opensearch-bedrock-connector-role can pass opensearch-bedrock-role
  • opensearch-bedrock-role can be assumed by es.amazonaws.com
  1. Version Compatibility: Since you mentioned this worked previously but stopped after updating to the latest version, check if there are any version-specific requirements or changes in the latest OpenSearch version that might affect role permissions.

If all these configurations are correct, you might need to try creating a new role with a different name to rule out any potential issues with the existing role configuration.
Sources
Amazon OpenSearch Service ML connectors for AWS services - Amazon OpenSearch Service
Build multimodal search with Amazon OpenSearch Service | AWS Big Data Blog
Use DeepSeek with Amazon OpenSearch Service vector database and Amazon SageMaker | AWS Big Data Blog
Use DeepSeek with Amazon OpenSearch Service vector databases and Amazon SageMaker | AWS Big Data Blog

answered a year ago
  • Gilbert
    10 months ago

    I'm guessing the P4 patch is messing with everything? the good patch was P2 or P3

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content