Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.5 AWS-Hosted Cluster
Describe the issue:
I am using opensearchpy library to query the cluster:
def init_opensearch_client(url: str, secret: dict, app: App) -> Tuple[OpenSearch, Union[Exception, None]]:
log: Logger = app.log
host = url.replace('https://', '')
port = 443
log.info("initializing opensearch client", extra={
"aos_host": host,
"aos_port": port,
})
client: OpenSearch = None
try:
service = 'es'
credentials = boto3.Session().get_credentials()
auth = AWSV4SignerAuth(credentials, app.region, service)
# API docs: https://opensearch-project.github.io/opensearch-py/api-ref/clients/opensearch_client.html
client = OpenSearch(
hosts=[{
'host': host,
'port': port
}],
http_compress=True,
http_auth=auth,
use_ssl=True,
verify_certs=True,
pool_maxsize=20,
connection_class=RequestsHttpConnection)
except Exception as e:
log.error("failed to initialize opensearch client", extra={"aos_error": e})
return None, e
return client, None
client, err = init_opensearch_client(url=app.domain_endpoint, secret=app.get_db_secret(), app=app)
if err:
return err
cluster_info = client.info()
log.info("cluster info", extra={"aos_cluster_info": cluster_info})
return cluster_info
The error message I get follows:
{
"errorMessage": "AuthorizationException(403, 'security_exception', 'no permissions for [cluster:monitor/main] and User [name=arn:aws:iam::removed:role/AosMgmtHandlerLambdaInstan-LOFIPEVH83CW, backend_roles=[arn:aws:iam::removed:role/AosMgmtHandlerLambdaInstan-LOFIPEVH83CW], requestedTenant=null]')",
"errorType": "AuthorizationException",
"requestId": "2d560bae-cb68-4c32-ad0e-c17b569c1666",
"stackTrace": [
" File \"/var/lang/lib/python3.9/site-packages/aws_lambda_powertools/metrics/base.py\", line 411, in decorate\n response = lambda_handler(event, context)\n",
" File \"/var/lang/lib/python3.9/site-packages/aws_lambda_powertools/logging/logger.py\", line 438, in decorate\n return lambda_handler(event, context, *args, **kwargs)\n",
" File \"/var/lang/lib/python3.9/site-packages/aws_lambda_powertools/tracing/tracer.py\", line 305, in decorate\n response = lambda_handler(event, context, **kwargs)\n",
" File \"/var/task/app/index.py\", line 41, in handler\n process_event(event, context, app)\n",
" File \"/var/task/app/index.py\", line 68, in process_event\n return handle_get_info(event, context, app)\n",
" File \"/var/task/app/handle_get_info.py\", line 32, in handle_get_info\n cluster_info = client.info()\n",
" File \"/var/lang/lib/python3.9/site-packages/opensearchpy/client/utils.py\", line 178, in _wrapped\n return func(*args, params=params, headers=headers, **kwargs)\n",
" File \"/var/lang/lib/python3.9/site-packages/opensearchpy/client/__init__.py\", line 251, in info\n return self.transport.perform_request(\n",
" File \"/var/lang/lib/python3.9/site-packages/opensearchpy/transport.py\", line 409, in perform_request\n raise e\n",
" File \"/var/lang/lib/python3.9/site-packages/opensearchpy/transport.py\", line 370, in perform_request\n status, headers_response, data = connection.perform_request(\n",
" File \"/var/lang/lib/python3.9/site-packages/opensearchpy/connection/http_requests.py\", line 219, in perform_request\n self._raise_error(\n",
" File \"/var/lang/lib/python3.9/site-packages/opensearchpy/connection/base.py\", line 301, in _raise_error\n raise HTTP_EXCEPTIONS.get(status_code, TransportError)(\n"
]
}