Amazon OpenSearch Service not able to publish Alerts to Amazon SNS destination

My issue may be more related to AWS than OpenSearch, I figured I would post here as a starting point in case anyone could help me but if there’s a better place to ask about my issue please let me know.

I’m using Amazon’s OpenSearch service in AWS and have set up Amazon SNS as a Destination for alerts. I have set up the SNS topic and permissions properly, and set up the role for the SNS destination in OpenSearch per this link: Configuring alerts in Amazon OpenSearch Service - Amazon OpenSearch Service which I called “test-OpenSearch-Role”, but when the trigger activates and tries to send an alert I get the following error in the alert:

“Error: Failed running action: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/cp-sts-grant-role/swift-us-west-2-prod-xxxxxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/Test-OpenSearch-Role (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 78e679a3-7373-4fe8-b1c1-a9b5d0d9dcda; Proxy: null)”

I’m not sure what this “User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/cp-sts-grant-role/swift-us-west-2-prod-xxxxxxxxxxxx” is and I haven’t been able to get it to obtain the permissions in the “test-OpenSearch-Role” to publish to SNS. I’m not very experienced when it comes to AWS inline policies for roles but here is the JSON of the test-OpenSearch-Role:
“Version”: “2012-10-17”,
“Statement”: [
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “"
“Effect”: “Allow”,
“Action”: “sns:Publish”,
“Resource”: "


Any help would be much appreciated.

facking same issue, did you found any workaroud ?

@jake.puffer - if I recall correctly, you’ll have to specify a role arn as the ‘resource’ that you want your test-OpenSearch-Role to assume, otherwise this IAM policy would give them blanket access to assume any role you have. A setup that I don’t recommend.

See if you can edit your role to provide the AssumeRole on a specific role ARN. That might get you going.

Tangentially related, but was there any specific setup you needed to do to set up “SNS” as a destination?

I set up the role, but the only options I have for Destinations are “Chime”, “Slack”, and “Custom Webhook”.

The documentation makes it sound like I should just have “SNS” as an option, but I don’t. Not sure if I’m missing something obvious.