Issues Connecting Service hosted on Fargate to OpenSearch in Same VPC
Hi all,
We have service hosted on ECS Fargate & we have an OpenSearch Domain that has fine-grained access enabled[user].
On Service side we have enabled the OpenSearchServiceReadOnlyAccess since service is just doing get /search operations on the OpenSearch Domain
On OpenSearch Domain side we have below -
When a Service ECS task try to make search calls on OpenSearch Domain we get a bellow error -
User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/service-TaskRole/54bbad32d1f24ee99e40f74f36f076b5 is not authorized to perform: es:ESHttpPost because no identity-based policy allows the es:ESHttpPost action
Can some one help . Do I need to add an Identity based policy like below -
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/domain/*"
}
]
}
Or is there anything else we want to do ?
- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hi THere
ESHttpPost requires "Write" permissions so the ReadOnly policy that you attached would not give the role the proper permissions
See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html
Contenus pertinents
- Réponse acceptéedemandé il y a un an
- demandé il y a un an
AWS OFFICIELA mis à jour il y a un an- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
Hi There
Instead of the AmazonOpenSearchServiceFullAccess policy, i would recommend adhering to the principle of Least privilege. You could create a policy with the specific permissions needed.
example:
{ "Effect": "Allow", "Action": "es:ESHttpPost", "Resource": "arn:aws:es:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT_ID:domain/YOUR_DOMAIN_NAME/*" }
Hi Thanks for your answer , I checked the link you provided and that makes sense. Looks like _search API with a request body is considered as POST and that needs a Write permissions.
So just adding the AmazonOpenSearchServiceFullAccess to the ECS Fargate Task role should resolve this issue and there should not be a need to add a Identity based policy on OpenSearch Domain.
Update looks like I get another error after updating AmazonOpenSearchServiceFullAccess - Caused by: OpenSearchStatusException[OpenSearch exception [type=security_exception, reason=no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxxxxxxxxxx:role/service-TaskRole, backend_roles=[arn:aws:iam::xxxxxxxxxxxxx:role/service-TaskRole], requestedTenant=null]]]
Looks like we do need additional work here to add IAM Role based Fine grained access