IAM Policy To Create Domain in OpenSearch

Question

I am trying to create Domain in open search, I used the Below IAM permission but everytime it is giving me this error-:
Before you can proceed, you must enable a service-linked role to give Amazon OpenSearch Service permissions to create and manage resources on your behalf

I have also attached the Service Linked Role but still I am facing the Issue

I am using this IAM policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "es:ESHttpDelete",
                "es:ESHttpGet",
                "es:ESHttpHead",
                "es:ESHttpPost",
                "es:ESHttpPut",
                "es:ESHttpPatch",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:RevokeSecurityGroupIngress",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:RemoveListenerCertificates"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "es:AddTags",
                "es:AssociatePackage",
                "es:CreateDomain",
                "es:CreateOutboundConnection",
                "es:DeleteDomain",
                "es:DescribeDomain",
                "es:DescribeDomainAutoTunes",
                "es:DescribeDomainConfig",
                "es:DescribeDomains",
                "es:DissociatePackage",
                "es:ESCrossClusterGet",
                "es:GetCompatibleVersions",
                "es:GetUpgradeHistory",
                "es:GetUpgradeStatus",
                "es:ListPackagesForDomain",
                "es:ListTags",
                "es:RemoveTags",
                "es:StartServiceSoftwareUpdate",
                "es:UpdateDomainConfig",
                "es:UpdateNotificationStatus",
                "es:UpgradeDomain"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "es:AcceptInboundConnection",
                "es:CancelServiceSoftwareUpdate",
                "es:CreatePackage",
                "es:CreateServiceRole",
                "es:DeletePackage",
                "es:DescribeInboundConnections",
                "es:DescribeInstanceTypeLimits",
                "es:DescribeOutboundConnections",
                "es:DescribePackages",
                "es:DescribeReservedInstanceOfferings",
                "es:DescribeReservedInstances",
                "es:GetPackageVersionHistory",
                "es:ListDomainNames",
                "es:ListDomainsForPackage",
                "es:ListInstanceTypeDetails",
                "es:ListInstanceTypes",
                "es:ListNotifications",
                "es:ListVersions",
                "es:PurchaseReservedInstanceOffering",
                "es:RejectInboundConnection",
                "es:UpdatePackage"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowCreationOfServiceLinkedRoleForOpenSearch",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService*",
                "arn:aws:iam::*:role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService*"
            ],
	    "Condition": {
	         "StringLike":{
			"iam:AWSServiceName": [
                "opensearchservice.amazonaws.com",
                "es.amazonaws.com"
            ]
		  }
 	    }
        }
    ]
}

Answer

Hi

In your IAM Policy you need to include the "iam:GetRole" action to grant you the necessary permissions to access and retrieve the service-linked role. This authorization ensures that the user or role can successfully create an OpenSearch Service domain by retrieving the service-linked role details and utilizing it during the domain creation process.

In your IAM policy I do also notice that the resource ARN for "CreateServiceLinkedRole" action does not have a placeholder for . It is important to include the correct format that includes the AWS account ID.

The correct format is :
arn:aws:iam:::role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService*
Replace  with your actual AWS account ID.

IAM Policy To Create Domain in OpenSearch

Contenuto pertinente