AWS OpenSearch Serverless - returning 403 error with correct access policy

I’m trying to create a REST API on my lambda to create a document within my opensearch serverless collection.

I’m able to do this manually through the dashboard. However, while trying to hit the endpoint I’m getting 403 errors.

I have granted all access on my access policy and followed the tutorial and even this re:Post article (https://repost.aws/questions/QU32hRu7KtQd-XWauqWXMjqQ/opensearch-serverless-javascript-content-length-403-error) but still no luck.

Any help would be greatly appreciated.

Topics

Serverless Compute Front-End Web & Mobile Networking & Content Delivery Security, Identity, & Compliance Analytics Database

Tags

Serverless AWS Lambda Amazon API Gateway IAM Policies Amazon OpenSearch Serverless

Language

English

pabs

asked 10 months ago2428 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

Assuming your data access policy is configured properly, make sure your Lambda function's execution role has aoss:APIAccessAll permissions applied for data-plane access, see Using data-plane policies

Edward_S

answered 10 months ago

pabs
10 months ago
I have added those into my IAM but still getting a 403 error.

Heres a snippet of my data access policy: policy = jsonencode([{ "Rules" : [ { "ResourceType" : "index", "Resource" : [ "index/my-data-collection-${var.stage}/*" ], "Permission" : [ "aoss:CreateIndex", "aoss:ReadDocument", "aoss:UpdateIndex", "aoss:WriteDocument", "aoss:*" ]}], "Principal" : [ "arn:${partition}:iam::${account_id}:user/${stage}"]

And a snippet of my IAM: `iamRoleStatements:

Effect: Allow Action:

aoss:APIAccessAll Resource:

arn:aws:aoss:${aws:region}:${aws:accountId}:collection/id`

Edward_S

10 months ago

Is that the full data access policy? If so, you will need to add the ARN of the Lamaba function's execution role to the Principal element.

For example

policy = jsonencode([
{ 
    "Rules" : [{
        "ResourceType" : "index", 
        "Resource" : [ 
            "index/my-data-collection-${var.stage}/*" ], 
            "Permission" : [ 
                    "aoss:CreateIndex",
                    "aoss:ReadDocument",
                    "aoss:UpdateIndex",
                    "aoss:WriteDocument",
                    "aoss:*"
              ]
      }], 
      "Principal" : [
            "arn:${partition}:iam::${account_id}:user/${stage}",
            "arn:${partition}:iam::${account_id}:role/${LambdaExecutionRoleName}"
       ]

Relevant content

OpenSearch serverless create error
rePost-User-1486063
asked a year ago
Opensearch Serverless Resource throwing a 403 forbidden error
Accepted Answer
pabs
asked 9 months ago
403 on opensearch serverless dashboard url
IndieGameDeveloperFromParallelWorld
asked 3 months ago
403 Forbidden error when creating vector index Opensearch Serverless
Helder
asked 2 months ago
I’m using an S3 REST API endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?
AWS OFFICIALUpdated a year ago
Why did I get a "User: anonymous is not authorized" error when I tried to access my OpenSearch Service cluster?
AWS OFFICIALUpdated a year ago
How do I set up an OpenSearch Serverless collection with an Amazon VPC endpoint and access the collection's dashboard?
AWS OFFICIALUpdated 3 months ago
Why is my API Gateway proxy resource with a Lambda authorizer that has caching activated returning HTTP 403 "User is not authorized to access this resource" errors?
AWS OFFICIALUpdated 2 years ago
How to e-mail OpenSearch reports and dashboards via opensearch-reporting-cli
EXPERT
Sohaib Katariwala
published 2 months ago
Use IAM tags to enable fine-grained federated authentication to Redshift Serverless
EXPERT
Poulomi_DG
published a year ago