1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
Hi THere
ESHttpPost
requires "Write" permissions so the ReadOnly policy that you attached would not give the role the proper permissions
See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html
Contenus pertinents
- Réponse acceptéedemandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
Hi There
Instead of the AmazonOpenSearchServiceFullAccess policy, i would recommend adhering to the principle of Least privilege. You could create a policy with the specific permissions needed.
example:
{ "Effect": "Allow", "Action": "es:ESHttpPost", "Resource": "arn:aws:es:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT_ID:domain/YOUR_DOMAIN_NAME/*" }
Hi Thanks for your answer , I checked the link you provided and that makes sense. Looks like _search API with a request body is considered as POST and that needs a Write permissions.
So just adding the AmazonOpenSearchServiceFullAccess to the ECS Fargate Task role should resolve this issue and there should not be a need to add a Identity based policy on OpenSearch Domain.
Update looks like I get another error after updating AmazonOpenSearchServiceFullAccess - Caused by: OpenSearchStatusException[OpenSearch exception [type=security_exception, reason=no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxxxxxxxxxx:role/service-TaskRole, backend_roles=[arn:aws:iam::xxxxxxxxxxxxx:role/service-TaskRole], requestedTenant=null]]]
Looks like we do need additional work here to add IAM Role based Fine grained access