How do I use Amazon Cognito authentication to access OpenSearch Dashboards from outside of a VPC?

Short description

To access OpenSearch Dashboards, use an SSH tunnel, an NGINX proxy, or an AWS Site-to-Site VPN.

If you activated fine-grained access control for your OpenSearch Service cluster, then you might receive a "missing role" error when you use Amazon Cognito authentication. To resolve this issue, add an Amazon Cognito authenticated role.

Resolution

Use an SSH tunnel

An SSH tunnel provides a secure connection over the SSH protocol. However, an SSH tunnel requires a client-side configuration and a proxy server.

For instructions, see How do I use an SSH tunnel to access OpenSearch Dashboards with Amazon Cognito authentication from outside a VPC?

Use an NGINX proxy

An NGINX proxy requires only a server-side configuration and uses standard HTTP (port 80) and HTTPS (port 443). However, an NGINX proxy requires a proxy server. The connection's security level depends on how you configure the proxy server.

For instructions, see How do I use an NGINX proxy to access OpenSearch Dashboards with Amazon Cognito authentication from outside a VPC?

Use Site-to-Site VPN

A Site-to-Site VPN creates a secure connection between your on-premises equipment and your VPCs, and uses standard TCP and UDP for an SSL/TLS VPN. However, a Site-to-Site VPN connection requires a VPN setup and client-side configuration.

Note: To allow or restrict access to resources, modify the VPC network configuration and the security groups that you associated with the OpenSearch Service domain.

Add an Amazon Cognito authenticated role for fine-grained access control

Complete the following steps:

1. Open the OpenSearch Service console.
2. In the navigation pane, under Managed clusters, choose Domains.
3. Choose your domain.
4. Choose Actions, and then select Edit security configurations.
5. Choose Set IAM ARN as your master user.
6. For IAM ARN, enter the Amazon Resource Name (ARN) for the Amazon Cognito authenticated AWS Identity and Access Management (IAM) role.
7. Choose Save changes.

For existing clusters with fine-grained access control and OpenSearch Dashboards access, you must map the Amazon Cognito authenticated role to the all_access OpenSearch Dashboards role. Complete the following steps:

1. Open the OpenSearch Service console.
2. In the navigation pane, under Managed clusters, choose Domains.
3. Select your domain to see the domain details.
4. Choose the OpenSearch Dashboards URL.
   Note: This step redirects you to a new window.
5. Log in to OpenSearch Dashboards with the username and password of the Master user.
6. Choose Security, and then choose Roles.
7. Select the all_access role.
8. Choose Mapped users, and then choose Manage mapping.
9. For Backend role, enter the ARN of the Amazon Cognito authenticated IAM role, and then choose Map.
10. Navigate back to the OpenSearch Service console.
11. Under Security configuration, select Amazon Cognito authentication for the user pool and identity pools for your Amazon Cognito authenticated IAM role.
    Note: This update causes a blue/green deployment.
12. To access the cluster, use an NGINX proxy or a Site-to-Site VPN.

For more information about fine-grained access control, see Tutorial: Configure a domain with an IAM master user and Amazon Cognito authentication.

Related information

How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

Configuring Amazon Cognito authentication for OpenSearch Dashboards

Why do I get a "User: anonymous is not authorized" error when I try to access my OpenSearch Service cluster?