CredentialsProviderError: Role Arn 'XXX' needs to be assumed with web identity, but no role assumption callback was provided

OpenSearch Client Libraries
1

Good afternoon,
Some days I try to connect with OpenSearch without success with NodeJS.
I tried following the documentation but it only worked using aws_access_key_id and aws_secret_access_key
https://docs.aws.amazon.com/en_br/opensearch-service/latest/developeguide/request-signing.html#request-signing-node

I have a NodeJS backend running inside AWS EKS and the same if I connect the roles through a Service Account:

RoleName: MyService

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::999999999999:oidc-provider/oidc.eks.sa-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXX"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.sa-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXX:sub": "system:serviceaccount:default:YYYYYYYYYYYYYYYYYY",
                    "oidc.eks.sa-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXX:aud": "sts.amazonaws.com"
                }
            }
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "es:*"
            ],
            "Resource": "*"
        }
    ]
}

NodeJs

const { Client } = require('@opensearch-project/opensearch');
const { defaultProvider } = require('@aws-sdk/credential-provider-node');
const createAwsOpensearchConnector = require('aws-opensearch-connector');
const getClient = async () => {
  const host = 'https://search-mydb-fpg5d4YHAYHAYAHAmvuyr3m.sa-east-1.es.amazonaws.com'
  const awsCredentials = await defaultProvider()();
  const connector = createAwsOpensearchConnector({
    credentials: awsCredentials,
    region: 'sa-east-1',
    getCredentials: function (cb) {
      return cb();
    },
  });
  return new Client({
    ...connector,
    node: `https://${host}`,
  });
};

I have received the following error message.

CredentialsProviderError: Role Arn ‘arn:aws:iam::9999999999:role/XXXXXXXXX’ needs to be assumed with web identity, but no role assumption callback was provided

Can anyone connect in NodeJs, do you have an example using these same settings?

2

Take a look at the latest version of the opensearch javascript client with sigv4 signing and IAM support.

3

I was struggling to get that working with latest version using sigv4 as well. My setup is like this:

[some-role]
aws_access_key_id = MYKEY
aws_secret_access_key = MYKEYID

[default]
role_arn = arn:aws:iam::ACCOUNT_ID:role/AssumedRole
source_profile = some-role

I got the error Profile default requires a role to be assumed, but no role assumption callback was provided
Here’s working solution for me, I hope that will help someone:

const options = AwsSigv4Signer({
            region,
            getCredentials: defaultProvider({roleAssumer: getDefaultRoleAssumer()}),
});
4

Would you be willing to submit this as a PR to the docs?

5

I don’t mind, but honestly it seems to me that there’s a bug in a lib or at least the lack of feature. aws-sdk v3 clients uses default providers with default assumers without necessity to specify them in the params, but for opensearch I had to pass it. I could look into that and try to fix, if someone could confirm that this is indeed bug.

6

Feel free to open an issue in the client repo. I think it will get more/different eyes there.