Opensearch Serverless Resource throwing a 403 forbidden error

Question

I'm trying to provide minimum permissions to my opensearch serverless collection.

I have everything working with the resource set to "*". However, when I try narrow this down i'm getting errors.

Below is an example of my IAM role statements (working example).

```
        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - "*"
```

Here is the IAM role statements (breaking example).

```
        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:APIAccessAll
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - arn:aws:aoss:${aws:region}:${aws:accountId}:collection/open_search_collection_id*
```

Accepted Answer

If the action is set to "aoss:*", then APIs with resource types other than "Collection" will also be restricted, resulting in an error.  
The table below shows that only three resource types "Collection" can be set: "APIAccessAll", "DeleteCollection" and "UpdateCollection".  
For APIs other than the above, setting the resource type to "Collection" will result in an error.  
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchserverless.html#amazonopensearchserverless-actions-as-permissions

Opensearch Serverless Resource throwing a 403 forbidden error

相关内容