Security_exception: no permissions for [cluster:monitor/main]

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.5 AWS-Hosted Cluster

Describe the issue:

I am using opensearchpy library to query the cluster:

def init_opensearch_client(url: str, secret: dict, app: App) -> Tuple[OpenSearch, Union[Exception, None]]:
    log: Logger = app.log
    host = url.replace('https://', '')
    port = 443"initializing opensearch client", extra={
        "aos_host": host,
        "aos_port": port,

    client: OpenSearch = None
        service = 'es'
        credentials = boto3.Session().get_credentials()
        auth = AWSV4SignerAuth(credentials, app.region, service)
        # API docs:
        client = OpenSearch(
                'host': host,
                'port': port
    except Exception as e:
        log.error("failed to initialize opensearch client", extra={"aos_error": e})
        return None, e
    return client, None
    client, err = init_opensearch_client(url=app.domain_endpoint, secret=app.get_db_secret(), app=app)
    if err:
        return err
    cluster_info ="cluster info", extra={"aos_cluster_info": cluster_info})
    return cluster_info

The error message I get follows:

  "errorMessage": "AuthorizationException(403, 'security_exception', 'no permissions for [cluster:monitor/main] and User [name=arn:aws:iam::removed:role/AosMgmtHandlerLambdaInstan-LOFIPEVH83CW, backend_roles=[arn:aws:iam::removed:role/AosMgmtHandlerLambdaInstan-LOFIPEVH83CW], requestedTenant=null]')",
  "errorType": "AuthorizationException",
  "requestId": "2d560bae-cb68-4c32-ad0e-c17b569c1666",
  "stackTrace": [
    "  File \"/var/lang/lib/python3.9/site-packages/aws_lambda_powertools/metrics/\", line 411, in decorate\n    response = lambda_handler(event, context)\n",
    "  File \"/var/lang/lib/python3.9/site-packages/aws_lambda_powertools/logging/\", line 438, in decorate\n    return lambda_handler(event, context, *args, **kwargs)\n",
    "  File \"/var/lang/lib/python3.9/site-packages/aws_lambda_powertools/tracing/\", line 305, in decorate\n    response = lambda_handler(event, context, **kwargs)\n",
    "  File \"/var/task/app/\", line 41, in handler\n    process_event(event, context, app)\n",
    "  File \"/var/task/app/\", line 68, in process_event\n    return handle_get_info(event, context, app)\n",
    "  File \"/var/task/app/\", line 32, in handle_get_info\n    cluster_info =\n",
    "  File \"/var/lang/lib/python3.9/site-packages/opensearchpy/client/\", line 178, in _wrapped\n    return func(*args, params=params, headers=headers, **kwargs)\n",
    "  File \"/var/lang/lib/python3.9/site-packages/opensearchpy/client/\", line 251, in info\n    return self.transport.perform_request(\n",
    "  File \"/var/lang/lib/python3.9/site-packages/opensearchpy/\", line 409, in perform_request\n    raise e\n",
    "  File \"/var/lang/lib/python3.9/site-packages/opensearchpy/\", line 370, in perform_request\n    status, headers_response, data = connection.perform_request(\n",
    "  File \"/var/lang/lib/python3.9/site-packages/opensearchpy/connection/\", line 219, in perform_request\n    self._raise_error(\n",
    "  File \"/var/lang/lib/python3.9/site-packages/opensearchpy/connection/\", line 301, in _raise_error\n    raise HTTP_EXCEPTIONS.get(status_code, TransportError)(\n"

This blogpost talks about the issue and solves it via UI.

However, I don’t have access to UI (see AWS-Hosted OpenSearch Cluster - OpenSearch Dashboards URL (VPC) Unavailable)

Also, I am deploying the cluster using CDK and would like to manage permissions in CDK too.