version 2.13
Hello everyone,
I have set up a private OpenSearch cluster in AWS, which should be accessible from 0.0.0.0/0. To achieve this, we implemented an NGINX instance and integrated the cluster with Cognito for authentication. However, for some reason that I haven’t been able to identify, I am unable to create an index pattern in a private tenant, although I can do it globally.
I’ve verified that the backend role provided by Cognito is correctly mapped to the all_access role in OpenSearch. Has anyone experienced a similar issue or has any recommendations?
Thank you.
NGINX Config
server {
listen 443 ssl;
server_name $host;
rewrite ^/$ https://$host/_dashboards redirect;
resolver x.x.x.x ipv6=off valid=5s;
set $domain_endpoint “Domain endpoint (VPC)”;
set $cognito_host “Cognito domain”;
ssl_certificate /opt/ssl/opensearch.crt;
ssl_certificate_key /opt/ssl/opensearch.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location ^~ /_dashboards {
proxy_pass https://$domain_endpoint;
proxy_redirect https://$cognito_host https://$host;
proxy_redirect https://$domain_endpoint https://$host;
proxy_cookie_domain $domain_endpoint $host;
proxy_cookie_path ~*^/$ /_dashboards/;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
location ~ /(log|sign|fav|forgot|change|saml|oauth2|confirm|mfa) {
proxy_pass https://$cognito_host;
proxy_redirect https://$domain_endpoint https://$host;
proxy_redirect https://$cognito_host https://$host;
proxy_cookie_domain $cognito_host $host;
}
}