Hi all
I have AWS Elasticsearch cluster (version 7.7) with RBAC enabled. Currently there are 2 role mappings:
- ‘admin’ IAM role is mapped to ‘all_access’ Opendistro role (built-in)
- ‘developers’ IAM role is mapped to ‘developers’ Opendistro role (created by me)
Developers group should have limited permissions, that are based on DLS, and I managed to configure that.
But also I want ‘developers’ group to be able to create monitors. And it seems that no matter what permissions I give to this group, it can’t do it.
For example, I copied permissions from ‘all_access’ role to ‘developers’ role, so below requests return almost the same JSON:
GET _opendistro/_security/api/roles/all_access
GET _opendistro/_security/api/roles/developers
Then I tried to create monitor using dev tools:
POST _opendistro/_alerting/monitors
{
“type”: “monitor”,
“name”: “monitor1”,
“enabled”: true,
“schedule”: {
“period”: {“interval”: 1, “unit”: “MINUTES”}
},
“inputs”: [
{
“search”: {
“indices”: [“test123-*”],
“query”: {
“size”: 0,
“aggregations”: {},
“query”: {“query_string”: {“query”: “log:error AND timestamp:[now-5m TO now]”}}
}
}
}
]
}
But got following error:
{
“error” : {
“root_cause” : [
{
“type” : “security_exception”,
“reason” : “no permissions for and User [name=Cognito/…/user1, backend_roles=[arn:aws:iam::…:role/…_developers], requestedTenant=user]”
}
],
“type” : “security_exception”,
“reason” : “no permissions for and User [name=Cognito/…/user1, backend_roles=[arn:aws:iam::…:role/…_developers], requestedTenant=user]”
},
“status” : 403
}
When I’m using ‘Alerting’ part of Kibana interface to create an alarm, there is no error, but I still can’t create it - just nothing happens when I press ‘Create’ button.
Once I map ‘developers’ IAM role to ‘all_access’, everything works as expected.
So, it seems that only way to create monitor is to map IAM role to ‘all_access’ ES role.
I’d appreciate any help to figure out how to do it without using ‘all_access’ role.
Thanks.