Why do I get a "User: anonymous is not authorized" error when I try to access my OpenSearch Service cluster?

Resolution

If you have unsigned requests from a source IP address that isn't allowed in the access policy, then you receive the "User: anonymous is not authorized" error message. To troubleshoot this issue, complete the resolution that best fits your use case.

Your client doesn't support signing requests

If you use a client that doesn't support signing requests such as a browser, then use an IP-based access policy. IP-based policies allow unsigned requests to an OpenSearch Service domain.

Make sure to use CIDR block notation for the IP addresses that you specify in the access policy. When OpenSearch Service checks the IP address against the access policy, OpenSearch Service uses CIDR block notation.

Verify that you use the IP addresses from the access policy to access your cluster. To see the public IP address of your local computer, go to checkip.amazonaws.com.

Note: If you receive an authorization error, then check whether you use a public or private IP address. You can't apply IP-based access policies to OpenSearch Service domains that are in a virtual private cloud (VPC). VPC security groups already enforce IP-based access policies. For more information, see About access policies on VPC domains.

Your client supports signing requests

If you use a client that supports signing requests, then make sure that you correctly sign your requests. AWS uses the AWS Signature Version 4 (SigV4) signing process to add authentication information to AWS requests. OpenSearch Service rejects requests from clients that aren't compatible with SigV4 with a "User: anonymous is not authorized" error. For examples of correctly signed requests to OpenSearch Service, see Making and signing OpenSearch Service requests.

Verify that you specify the correct Amazon Resource Name (ARN) in the access policy.

If your OpenSearch Service domain is in a VPC, then configure an open access policy with or without a proxy server. To control access, use security groups.

You can't access OpenSearch Dashboards

You can't access OpenSearch Dashboards for the following reasons:

• The OpenSearch Dashboards endpoint doesn't support signed requests.
• The access control policy allows AWS Identity and Access Management (IAM) users or roles domain access, but you didn't configure your Amazon Cognito authentication for OpenSearch Dashboards.
• The request times out because you're trying to access the OpenSearch Service domain within a VPC from outside the VPC.

To resolve access issues, see Controlling access to Dashboards.