Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.13
Describe the issue:
Hi all, I enabled fine grained access control with cognito for an OpenSearch domain. Cognito login works fine with master user role permissions. However I’m getting the following error when connecting to OpenSearch domain from Lambda.
Error:
{ "type": "security_exception",
"reason": "no permissions for [indices:admin/aliases, indices:admin/create] and User [name=arn:aws:iam::1234567890:role/ap-dev-lambda, backend_roles=[arn:aws:iam::1234567890:role/ap-dev-lambda], requestedTenant=null]" }
This is how I connect to OpenSearch:
import { Client } from '@opensearch-project/opensearch'
import { defaultProvider } from '@aws-sdk/credential-provider-node'
import { AwsSigv4Signer } from '@opensearch-project/opensearch/aws'
new Client({
node: `https://${domainEndpoint}`,
...AwsSigv4Signer({
region: process.env.AWS_REGION,
getCredentials: () => defaultProvider()(),
}),
})
This is related domain CDK code:
this.domain = new opensearch.Domain(scope, domainId, {
...
fineGrainedAccessControl: {
masterUserArn: this.cognito.masterUserRole.roleArn,
},
cognitoDashboardsAuth: {
userPoolId: this.cognito.userPool.userPoolId,
identityPoolId: this.cognito.identityPool.ref,
role: this.cognito.openSearchCognitoAccessRole,
},
...
})
this.domain.addAccessPolicies(
new iam.PolicyStatement({
actions: ['es:ESHttp*'],
principals: [new iam.AccountRootPrincipal()],
resources: [`${this.domain.domainArn}/*`],
})
)
this.cognito.masterUserRole.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['es:*'],
resources: [`${this.domain.domainArn}/*`],
})
)
Lambda role arn:aws:iam::1234567890:role/ap-dev-lambda
has this policy statement:
{
"Action": [
"*"
],
"Resource": [
"arn:aws:es:us-east-1:1234567890:domain/ap-dev-search",
"arn:aws:es:us-east-1:1234567890:domain/ap-dev-search/*"
],
"Effect": "Allow"
}
But it works fine if I add lambda role arn:aws:iam::1234567890:role/ap-dev-lambda
to the OpenSearch dashboard -> Security -> Roles -> all_access -> Mapped users
.
I need to do this in CDK and Lambda code, but not sure how to do that.
Thank you!