How to access fine-grained access control enabled (with cognito) OpenSearch domain from lambda

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.13

Describe the issue:
Hi all, I enabled fine grained access control with cognito for an OpenSearch domain. Cognito login works fine with master user role permissions. However I’m getting the following error when connecting to OpenSearch domain from Lambda.
Error:

{ "type": "security_exception",
 "reason": "no permissions for [indices:admin/aliases, indices:admin/create] and User [name=arn:aws:iam::1234567890:role/ap-dev-lambda, backend_roles=[arn:aws:iam::1234567890:role/ap-dev-lambda], requestedTenant=null]" }

This is how I connect to OpenSearch:

import { Client } from '@opensearch-project/opensearch'
import { defaultProvider } from '@aws-sdk/credential-provider-node'
import { AwsSigv4Signer } from '@opensearch-project/opensearch/aws'

new Client({
      node: `https://${domainEndpoint}`,
      ...AwsSigv4Signer({
        region: process.env.AWS_REGION,
        getCredentials: () => defaultProvider()(),
      }),
    })

This is related domain CDK code:

this.domain = new opensearch.Domain(scope, domainId, {
...
fineGrainedAccessControl: {
        masterUserArn: this.cognito.masterUserRole.roleArn,
      },
      cognitoDashboardsAuth: {
        userPoolId: this.cognito.userPool.userPoolId,
        identityPoolId: this.cognito.identityPool.ref,
        role: this.cognito.openSearchCognitoAccessRole,
      },
...
})
    this.domain.addAccessPolicies(
      new iam.PolicyStatement({
        actions: ['es:ESHttp*'],
        principals: [new iam.AccountRootPrincipal()],
        resources: [`${this.domain.domainArn}/*`],
      })
    )
    this.cognito.masterUserRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ['es:*'],
        resources: [`${this.domain.domainArn}/*`],
      })
    )

Lambda role arn:aws:iam::1234567890:role/ap-dev-lambda has this policy statement:

{
            "Action": [
                "*"
            ],
            "Resource": [
                "arn:aws:es:us-east-1:1234567890:domain/ap-dev-search",
                "arn:aws:es:us-east-1:1234567890:domain/ap-dev-search/*"
            ],
            "Effect": "Allow"
        }

But it works fine if I add lambda role arn:aws:iam::1234567890:role/ap-dev-lambda to the OpenSearch dashboard -> Security -> Roles -> all_access -> Mapped users.

I need to do this in CDK and Lambda code, but not sure how to do that.

Thank you!

@ap-h Have you tried escaping special characters i.e. colon, forward slash.
Web UI should handle them automatically but script is not always that clever.

I am having the same issue. CDK doesn’t seem to support this use case to my understanding.

Looking at the official terraform module, you can see that there are resources to manage users Terraform Registry

Using terrafom, you could create a user in opensearch domain, assign permissions and add your master role as a backend role to make this whole thing work without needing manual work but in CDK this doesn’t seem to be the case.

Please do let me know if you already find a way to solve this.

I haven’t found a solution, I had to use masteruser & password which is not great.
I’m surprised that I’m the only one who has this issue, it seems a pretty common case for fine grained access.