AWS Hosted - Roles not behaving as expected with no Index Patterns available

nicholasvdh · October 13, 2025, 12:33pm

Versions OpenSearch/Dashboard/Server AWS Hosted - 2.19 OS/Browser MacOS/Chrome Version 140.0.7339.133):

Describe the issue:

When creating a role by adding in an index pattern that the role is allowed to read and search the UI does not show anything. I have found a semi workaround but it is not permanent. This workaround involves changing the index permissions to add “*” and loading the discover page in another incognito browser window. Then editing the role to remove the “*” from the index patterns.

From my initial thoughts it was a problem with my config, however I can not seem to work out what permissions I am missing.

GOAL: Create a role that the users in that role can only view the index(s) that are added to the role to be able to read and search. As well as be able to see those index(s) that are on dashboards.

This may be a simple mis-understanding of the way the security permission work but I would really appreciate some guidance here as I have tried for the last week with multiple configs and do not seem to be progressing (you can only google so much, until you ask the community experts for assistance

Configuration:

Role name = devops_ops_UAT

Needs permissions to the index - os_dop_ops* and my_*

Relevant Logs or Screenshots:

This is the config that has been setup

Leeroy · October 15, 2025, 9:10am

Hey @nicholasvdh ,

When you say AWS Hosted, is it a self managed, or managed deployment? If so could you share your configs, also have you tested mapping the users to the role in which grants the permissions?

Leeroy.

cwperks · October 15, 2025, 11:33am

There is a setting calling do_not_fail_on_forbidden that can help with this. You will need to reach out to AWS support to toggle this on the cluster.

nicholasvdh · October 16, 2025, 5:53am

Hi Leeroy,

We are making use of the Amazon Open Search Service hosted in Cape Town RSA.

The configs I am using are the following:

For the Role

{
  "devops_ops_UAT": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster_composite_ops_ro",
      "cluster_composite_ops"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "my_*",
          "os_dop_ops*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read",
          "search",
          "indices:admin/mappings/fields/get*"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

For the Mapping on that role

{
“devops_ops_UAT”: {
“hosts”: ,
“users”: [
“MY_user”,
“Another_User”
],
“reserved”: false,
“hidden”: false,
“backend_roles”: ,
“and_backend_roles”: 
}
}

nicholasvdh · October 16, 2025, 5:55am

Thanks @cwperks , I will take this up with AWS

Topic		Replies	Views
Role applied when login with openId doesn't give permission to specified index Security troubleshoot	2	427	July 27, 2023
How to limit user's access to a group of indices only Security	8	1804	April 16, 2021
Opensearch role creation for user with few index pattern permission only Security troubleshoot , index-management	12	256	January 15, 2025
Ldap users assigned to roles and index security error Security	3	481	January 15, 2021
Roles and users Security configure	2	499	April 27, 2022

AWS Hosted - Roles not behaving as expected with no Index Patterns available

Related topics