Opensearch Domain dashboard error: "User: anonymous is not authorized to perform: es:ESHttpGet because no resource-based policy allows the es:ESHttpGet action"

0

I am not able to open my Opensearch dashboard link. When I click it from the AWS Console, I just see a blank page with error message: User: anonymous is not authorized to perform: es:ESHttpGet because no resource-based policy allows the es:ESHttpGet action

Here is my CDK access policy for the Opensearch domain:

// opensearch domain
    const osDomain = new opensearch.Domain(this, 'os_domain', {
      version: opensearch.EngineVersion.OPENSEARCH_2_13,
      capacity: {
        dataNodeInstanceType: "t3.small.search",
        dataNodes: 1,
        multiAzWithStandbyEnabled: false
      },

      advancedOptions: {
        'rest.action.multi.allow_explicit_index': 'true'
      },
      
      accessPolicies: [
        new PolicyStatement({
          effect: Effect.ALLOW,
          principals: [
            new iam.ArnPrincipal("arn:aws:sts::123456789012:assumed-role/ExCdkStack-lambdafuncServiceRol-abcdefg/ExCdkStack-lambdafunc12345-abcdefgHIJK")
          ],
          actions: ["es:*"],
          resources: ["arn:aws:es:us-east-1:123456789012:domain/osdomain12345-asdfghjkl/*"]
        })
      ]

    })

I tried adding another principal in the principals list: "new AnyPrincipal()" as recommended by these posts: https://repost.aws/questions/QUfyKFVUu5RA2SMLzk-32Hyg/getting-user-anonymous-is-not-authorized-to-perform-es-eshttpget-because-no-resource-based-policy-allows-the-es-eshttpget-action and https://repost.aws/questions/QU4f7jQHSoQliE2bM1sTxMNQ/403-on-opensearch-serverless-dashboard-url

However, I got the cdk deployment error: "Apply a restrictive access policy to your domain"

I also tried adding the principal "new AccountPrincipal("123456789012")", however still same issue.

Please advise on what permissions/access policies I need to create to access the dashboard. Thank you.

1 Answer
1

Hello,

Looking at the Access Policy for the OpenSearch Domain, as well as the error being returned, it would indicate that the Access Policy for the OpenSearch domain, is only allowing the ARN listed in the "Principal" Element, access to view the OpenSearch Dashboard. In addition, it is mentioned here[1] that if you specify an IAM user/role ARN in the Access Policy as the "Principal" element, such as the Access Policy attached to your OpenSearch domain, then you would need to sign the request to the OpenSearch Dashboard.

When accessing the OpenSearch Dashboard from a web browser, such as the AWS Management Console, the request is essentially an unsigned request and as the request to the OpenSearch Dashboard is an unsigned request, you would essentially be accessing the dashboard as an anonymous user, resulting in the error being returned. In this scenario, you would generally make use of one of the AWS SDKs to access the OpenSearch Dashboard, as the AWS SDK handles the signing of the API requests automatically.

However, as mentioned in the AWS Article here[2] in the scenario where you are unable to sign the request, like accessing the OpenSearch Dashboard via the AWS Management Console, then you can consider applying an IP-based access policy to the domain, as IP-based policies would allow for unsigned requests to the OpenSearch Dashboard, however, an IP-based policy would only allow unsigned request from the IP address that is listed in the IP-based access policy. I am also providing the AWS documentation here[3], showing an example of an IP-based policy that allows unsigned requests to an Opensearch dashboard, from a specific IP range.

I sincerely hope the above helps with the query of concern.

References:

[1] Making and signing OpenSearch Service requests - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-signing-service-requests.html

[2] https://repost.aws/knowledge-center/anonymous-not-authorized-opensearch

[3] Identity and Access Management in Amazon OpenSearch Service - IP-based policies - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-ip

profile picture
answered 10 days ago
AWS
SUPPORT ENGINEER
revised 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions