Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
- 2.5
Describe the issue:
I’m attempting to connect OpenSearch to Min.io so that I could save index snapshots to an object-based on-prem storage. When I attempt to create the S3 repository, I receive access denied errors because the Min.io response does not match the S3 signature.
Configuration:
I created the OpenSearch cluster using the OpenSearch helm chart with the following secret and values.yml
- name: Deploy OpenSearch Minio Secrets
kubernetes.core.k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: opensearch-storage-secrets
namespace: opensearch
data:
s3.client.default.access_key: "{{ 'opensearch' | b64encode }}"
s3.client.default.secret_key: "{{ 'p@$$w0rd!' | b64encode }}"
replicas: 1
minimumMasterNodes: 0
config:
opensearch.yml: |
...
s3.client.default:
endpoint: "http://storage-minio.opensearch:9000"
protocol: http
path_style_access: true
...
keystore:
- secretName: opensearch-storage-secrets
...
The Min.io user is configured with a service account opensearch:p@$$w0rd!
.
When I check the min.io access, I could see that the S3 endpoint was hit and that a 403 was sent back to OpenSearch.
My service account has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::opensearch/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::opensearch"
]
}
]
}
I’ve attached documentation and screenshots for context.
Relevant Documentation:
- Taking and restoring snapshots - Take and restore snapshots - OpenSearch documentation
- Using MinIO as snapshot repository - Use MinIO as snapshot repository failed if use https
- Snapshotting Minio on-prem storage - Snapshotting to Minio on-premise storage | Elastic Cloud Enterprise Reference [3.5] | Elastic
Relevant Logs or Screenshots: