By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Opensearch Serverless 'search_phase_execution_exception' Error when querying index

1

I'm trying to do a search query to my Opensearch Serverless index but i keep getting the following error:

 403 - Forbidden: {
  "code": 403,
  "message": "search_phase_execution_exception: [security_exception] Reason: Bad Authorization"
}

Here is my function to query the index:

const searchDocument = async ({ index, document }) => {
    const query = { query: { match: { description: document } } };
    console.log('query search document:', query);
    const checkingSearch = await client.search({ index, body: query });
    console.log('checkingSearch:', checkingSearch);
    return checkingSearch;
};

I thought it may have been an IAM permission issue, but I'm using the same permissions I have for a separate lambda function where it is updating the index and it works fine. Here is a snippet of my IAM permission:

iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
                  - aoss:DeleteCollection
                  - aoss:UpdateCollection
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:DashboardsAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:dashboards/default
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'
            - Effect: Allow
              Action:
                  - dynamodb:GetItem
                  - dynamodb:Query
                  - dynamodb:BatchGetItem
              Resource: 'arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${opt:stage, self:provider.stage}-DBNAME*'
Topics
ServerlessComputeSecurity, Identity, & ComplianceAnalyticsDatabase
Tags
ServerlessAWS LambdaAWS Identity and Access ManagementAmazon OpenSearch Serverless
Language
English
pabs
asked 9 months ago500 views
2 Answers
0

Hello.
If there is a problem with the IAM policy, is it logged to CloudTrail, etc.?

profile picture
EXPERT
Riku_Kobayashi
answered 9 months ago
  • pabs
    9 months ago

    Not that i can see. This is what is outputting in the logs:

    ResponseError: search_phase_execution_exception: [security_exception] Reason: Bad Authorization
    at onBody (/var/task/node_modules/@opensearch-project/opensearch/lib/Transport.js:425:23)
    at IncomingMessage.onEnd (/var/task/node_modules/@opensearch-project/opensearch/lib/Transport.js:340:11)
    at IncomingMessage.emit (node:events:525:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1358:12)
    at processTicksAndRejections (node:internal/process/task_queues:83:21) {
  meta: {
    body: { error: [Object], status: 403 },
    statusCode: 403,
  • Riku_Kobayashi EXPERT
    9 months ago

    What happens if I grant Administrator privileges to try it out? If execution fails even after granting Administrator, the problem is probably in something other than IAM.

0

Did you ever end up getting a resolution here?

Zack
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content