403 error when restoring snapshot via IAM role – ‘no permissions for []

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.15

Background:

  • AWS OpenSearch domain in ap-southeast-1, fine-grained access control enabled.
  • Master user: internal database; IAM Identity Center disabled.
  • Repository created successfully via API:

PUT _snapshot/prod_opensearch_repo/snapshot-2

Screenshot 2025-06-19 at 9.52.05 AM
Screenshot 2025-06-19 at 9.52.05 AM1360×592 25 KB

Describe the issue:

Restoring snapshot fails:
POST /_snapshot/prod_opensearch_repo/snapshot-2/_restore
{ “indices”: “-.kibana*, -.opendistro*”, “include_global_state”: false }
{
“error”: {
“root_cause”: [
{
“type”: “security_exception”,
“reason”: “no permissions for and User [name=admin, backend_roles=[arn:aws:iam::851725613314:role/opensearchsnapshotrol], requestedTenant=]”
}
],
“type”: “security_exception”,
“reason”: “no permissions for and User [name=admin, backend_roles=[arn:aws:iam::851725613314:role/opensearchsnapshotrol], requestedTenant=]”
},
“status”: 403
}

Configuration:
Auth Info
{
“user”: “User [name=admin, backend_roles=[arn:aws:iam::851725613314:role/opensearchsnapshotrol], requestedTenant=]”,
“user_name”: “admin”,
“user_requested_tenant”: “”,
“backend_roles”: [
“arn:aws:iam::851725613314:role/opensearchsnapshotrol”
],
“custom_attribute_names”: ,
“roles”: [
“manage_snapshots”,
“security_manager”,
“all_access”,
“snapshot_management_full_access”
],
“tenants”: {
“global_tenant”: true,
“admin”: true
},
“principal”: null,
“peer_certificates”: “0”,
“sso_logout_url”: null
}

Manage Snapshots
{
“manage_snapshots”: {
“hosts”: ,
“users”: [
“arn:aws:iam::851725613314:user/Agmo”,
“admin”
],
“reserved”: false,
“hidden”: false,
“backend_roles”: [
“arn:aws:iam::851725613314:role/opensearchsnapshotrole”
],
“and_backend_roles”:
}
}

Snapshot Management full Access
{
“snapshot_management_full_access”: {
“hosts”: ,
“users”: [
“admin”
],
“reserved”: false,
“hidden”: false,
“backend_roles”: [
“arn:aws:iam::851725613314:user/devmiddlewarefunctionaluser”,
“arn:aws:iam::851725613314:role/opensearchsnapshotrole”
],
“and_backend_roles”:
}
}

Questions

  1. Why does OpenSearch still return no permissions for [] despite correct manage_snapshots mapping and roles identified in authinfo?
  2. Is mapping to snapshot_management_full_access or security_manager required as a separate step?
  3. Is certificate-based admin auth (PEM) required for snapshot restores on AWS-managed OpenSearch—even with FGAC?
  4. Are there any missing configuration layers (Domain Policies, FGAC migration, etc.) or logs I should examine?

Relevant Logs or Screenshots:

2

@patriklee90 do you know which indices were included in the snapshot? Its possible the restore is picking up .opendistro_security which requires the admin certificate (PEM).

3

I using this command, i think it does not contain .opendistro_security

POST /_snapshot/opensearch_repo/snapshot-2/_restore
{
“indices”: “-.kibana*,-.opendistro*”,
“include_global_state”: false
}

4

@patriklee90 You can use the following command to see which indices were included in the snapshot:

curl -k -u admin:admin https://localhost:9200/_snapshot/<repo_name>/<snapshot_name>?pretty

Its possible one or more of the indices you are trying to restore require admin certificate.