Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.19
OpenSearch_2_19_R20250630-P4 (latest)
Describe the issue:
I followed the documentation in opensearch semantic-search-bedrock-cohere with the same policies and trust. But when I tried to predict the model using the dashboard it gave me a forbidden error as follow:
Authorization error during prediction: User: [REDACTED-USER-ARN] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<my-account-id>:role/opensearch-bedrock-role (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: *******; Proxy: null
I have quadruple check that my configuration is correct and points to the right resource arn and had put the connector role to ml_full_access backend role.
I also had tried using a fresh opensearch domain in AWS which yielded the same result.
My hypothesis is, for whatever reason, the opensearch does not want to use the bedrock role. Even though the passrole is fully functional since I can create the connector with the bedrock-role arn credential in the payload.
Configuration:
I have 2 roles for this
opensearch-bedrock-connector-role and opensearch-bedrock-role
opensearch-bedrock-connector-role, has permissioniam:PassRoletowardsopensearch-bedrock-roleas well ases:ESHttpPostto the arn of my opensearch domain. The trust policy is using my own IAM user arn which has administrator privilege to assume the role.opensearch-bedrock-role, has permission to invoke any bedrock foundation model. it has the trust policy as follows
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Relevant Logs or Screenshots: