403: Request Signature Does Not Match Using Min.io

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

  • 2.5

Describe the issue:

I’m attempting to connect OpenSearch to Min.io so that I could save index snapshots to an object-based on-prem storage. When I attempt to create the S3 repository, I receive access denied errors because the Min.io response does not match the S3 signature.

Configuration:

I created the OpenSearch cluster using the OpenSearch helm chart with the following secret and values.yml

- name: Deploy OpenSearch Minio Secrets
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: opensearch-storage-secrets
        namespace: opensearch
      data:
        s3.client.default.access_key: "{{ 'opensearch' | b64encode }}"
        s3.client.default.secret_key: "{{ 'p@$$w0rd!' | b64encode }}"  
replicas: 1
minimumMasterNodes: 0
config:
  opensearch.yml: |
    ...
    s3.client.default:
      endpoint: "http://storage-minio.opensearch:9000"
      protocol: http
      path_style_access: true
...
keystore:
- secretName: opensearch-storage-secrets
...

The Min.io user is configured with a service account opensearch:p@$$w0rd!.
When I check the min.io access, I could see that the S3 endpoint was hit and that a 403 was sent back to OpenSearch.

My service account has the following policy:

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:PutObject",
    "s3:DeleteObject",
    "s3:GetObject"
   ],
   "Resource": [
    "arn:aws:s3:::opensearch/*"
   ]
  },
  {
   "Effect": "Allow",
   "Action": [
    "s3:ListBucket"
   ],
   "Resource": [
    "arn:aws:s3:::opensearch"
   ]
  }
 ]
}

I’ve attached documentation and screenshots for context.

Relevant Documentation:

Relevant Logs or Screenshots:



This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.