Trying to use Signing HTTP requests to Amazon OpenSearch Service, getting below error

gkSachin04 · February 13, 2023, 5:41am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
I am trying to connect to OpenSearch service using AwsSdk2Transport to send the signed request but getting

[security_exception] authentication/authorization failure: org.opensearch.client.opensearch._types.OpenSearchException
org.opensearch.client.opensearch._types.OpenSearchException: Request failed: [security_exception] authentication/authorization failure

Configuration:

I have followed AWS SigV4 support for OpenSearch clients · OpenSearch to create the domain and set the security config.

and added role created for lambda in the opensearch access policy
I have generated the access key and security key in the credential file located in .aws folder home path.

Relevant Logs or Screenshots:
Request failed: [security_exception] authentication/authorization failure: org.opensearch.client.opensearch._types.OpenSearchException
org.opensearch.client.opensearch._types.OpenSearchException: Request failed: [security_exception] authentication/authorization failure
at org.opensearch.client.transport.aws.AwsSdk2Transport.parseResponse(AwsSdk2Transport.java:444)
at org.opensearch.client.transport.aws.AwsSdk2Transport.executeSync(AwsSdk2Transport.java:365)
at org.opensearch.client.transport.aws.AwsSdk2Transport.performRequest(AwsSdk2Transport.java:171)
at org.opensearch.client.opensearch.OpenSearchClient.info(OpenSearchClient.java:790)
at org.example.Siggned.handleRequest(Siggned.java:36)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)

kris · March 8, 2023, 6:40pm

@vachashah @harshavamsi @xtansia or @dblock - would you have a moment to look at this for @gkSachin04? thank you

xtansia · March 8, 2023, 8:21pm

Hi @gkSachin04,

Just so I can make sure I’ve got it right:

You’ve created a domain in AWS with “Fine grained access control” selected
Configured a “master” user/role for it
You’re now trying to access the cluster using an IAM role for a Lambda; that is different from the “master” one

My best guess at what is happening based on the error is that this isn’t an issue with the client, but rather a misconfiguration in that the Lambda’s role has not had a role mapping configured in OpenSearch itself. I’d recommend reading and following the docs on Fine-grained access control in Amazon OpenSearch Service.
Alternatively if you really do not need fine-grained access control you could switch to a domain-level access policy.

gkSachin04 · March 9, 2023, 6:22am

Thanks for the update… I was able to resolve the issue.

I used the arn of the role created during its execution used to map it to master arn in the opensearch configuration.

Topic		Replies	Views
AWS OpenSearch Service. Request failed: [security_exception] authentication/authorization failure Security troubleshoot , security-issue	1	1559	June 5, 2023
AWS Security Issues Security security-issue	1	235	April 16, 2024
Error connecting to Opensearch service in AWS OpenSearch troubleshoot , configure	3	2122	August 20, 2024
AwsSdk2Transport, disable SSL and add interceptors OpenSearch Client Libraries opensearch-java	1	438	May 10, 2024
405 Errors from Java HighLevel Rest Client OpenSearch Client Libraries opensearch-java	6	582	September 22, 2022

Trying to use Signing HTTP requests to Amazon OpenSearch Service, getting below error

Related topics