- Newest
- Most votes
- Most comments
Hello,
Looking at the Access Policy for the OpenSearch Domain, as well as the error being returned, it would indicate that the Access Policy for the OpenSearch domain, is only allowing the ARN listed in the "Principal" Element, access to view the OpenSearch Dashboard. In addition, it is mentioned here[1] that if you specify an IAM user/role ARN in the Access Policy as the "Principal" element, such as the Access Policy attached to your OpenSearch domain, then you would need to sign the request to the OpenSearch Dashboard.
When accessing the OpenSearch Dashboard from a web browser, such as the AWS Management Console, the request is essentially an unsigned request and as the request to the OpenSearch Dashboard is an unsigned request, you would essentially be accessing the dashboard as an anonymous user, resulting in the error being returned. In this scenario, you would generally make use of one of the AWS SDKs to access the OpenSearch Dashboard, as the AWS SDK handles the signing of the API requests automatically.
However, as mentioned in the AWS Article here[2] in the scenario where you are unable to sign the request, like accessing the OpenSearch Dashboard via the AWS Management Console, then you can consider applying an IP-based access policy to the domain, as IP-based policies would allow for unsigned requests to the OpenSearch Dashboard, however, an IP-based policy would only allow unsigned request from the IP address that is listed in the IP-based access policy. I am also providing the AWS documentation here[3], showing an example of an IP-based policy that allows unsigned requests to an Opensearch dashboard, from a specific IP range.
I sincerely hope the above helps with the query of concern.
References:
[1] Making and signing OpenSearch Service requests - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-signing-service-requests.html
[2] https://repost.aws/knowledge-center/anonymous-not-authorized-opensearch
[3] Identity and Access Management in Amazon OpenSearch Service - IP-based policies - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-ip
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago