My Amazon OpenSearch Service cluster is in a virtual private cloud (VPC). I want to use an SSH tunnel to access OpenSearch Dashboards with Amazon Cognito authentication from outside the VPC.
Short description
By default, Amazon Cognito restricts OpenSearch Dashboards access to AWS Identity and Access Management (IAM) users in the VPC. To access an OpenSearch Service domain from another VPC, create an OpenSearch Service managed VPC endpoint. To publicly access a dashboard URL, use an SSH tunnel.
Important: Verify that access to OpenSearch Dashboards from outside the VPC complies with your organization's security requirements.
To use an SSH tunnel to access OpenSearch Dashboards from outside the VPC, complete the following steps:
- Create an Amazon Cognito user pool and identity pool.
- Create an Amazon Elastic Compute Cloud (Amazon EC2) instance in a public subnet.
- Use a browser add-on to configure a SOCKS proxy.
- Create an SSH tunnel from your local machine to the Amazon EC2 instance.
Note: You can also use an NGINX proxy or client VPN to access OpenSearch Dashboards from outside of a VPC with Amazon Cognito authentication.
- (Optional) If you turn on fine-grained access control, then add an Amazon Cognito authenticated role.
Resolution
Create an Amazon Cognito user pool and identity pool
Complete the following steps:
- Create an Amazon Cognito user pool.
- Configure a hosted user pool domain.
- Configure your users and groups.
- Create an Amazon Cognito Identity pool. Configure the following settings:
For User Access, choose Authenticated access.
For Authenticated identity sources, enter Amazon Cognito user pool.
For IAM role, choose Create a new IAM role, and then enter a role name.
For User pool details, select your user pool, and then choose AppClient ID.
For Role settings, choose Use default authenticated role.
For Claim mapping, choose Inactive.
- Configure your OpenSearch Service domain to use Amazon Cognito authentication. Configure the following settings:
For Cognito User Pool, select your user pool.
For Cognito Identity Pool, select your identity pool.
- For Domain access policy , enter the following access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:role/service-role/identitypool-role"
},
"Action": "es:*",
"Resource": "arn:aws:es:region:account-id:domain/domain-name/*"
}
]
}
Note: Replace account-id with your AWS account and identitypool-role with the name of your identity pool role. Replace domain-name with your OpenSearch Service domain, and region with your domain's AWS Region.
Create an EC2 instance and configure security group rules
Important: The instance's subnet must be in the same VPC as your OpenSearch Service domain.
Complete the following steps:
- Launch an instance in the public subnet of the VPC that your OpenSearch Service domain is in.
- Open the Configure Instance Details page, and then verify that Auto-assign Public IP is Enable.
- Add inbound rules to the security group that's associated with your instance. Configure these rules to allow traffic to ports 8157 and 22 from the IP address of the machine that you use to access OpenSearch Dashboards.
- Add an inbound rule to the security group that's associated with the OpenSearch Service domain. Configure this rule to allow traffic from the private IP address of your instance.
Configure the SOCKS proxy
Note: The following instructions use FoxyProxy to configure the SOCKS proxy.
Complete the following steps:
- Add FoxyProxy Standard to Google Chrome. For more information, see FoxyProxy on the Chrome web store.
- Open FoxyProxy, and then choose Options.
- Under Proxies, choose Add.
- Configure the following settings:
For Title, enter a proxy name.
For Hostname, enter localhost.
For Port, enter 8157.
For Type, select SOCKS5.
- To add a pattern, choose the plus sign (+), and then configure the following settings:
Keep the first field blank.
For Title, enter a name for your pattern.
For Pattern, enter the OpenSearch Dashboards VPC endpoint. For example: https://vpc-mydomain-rg3abcdefghiflge.us-east-1.es.amazonaws.com/_dashboards.
For Type, select Wildcards.
For Include, select Include.
- Choose Save.
Create the SSH tunnel
Complete the following steps:
-
Use the local machine that you use to access OpenSearch Dashboards to run the following command:
ssh -i "mykeypair.pem" ec2-user@public_dns_name -ND 8157
Note: Replace mykeypair.pem with the name of the .pem file for the key pair that you specified when you launched your instance. Replace public_dns_name with the public DNS of your instance. For more information, see DNS attributes for your VPC.
-
Enter the OpenSearch Dashboards endpoint in your browser to open the Amazon Cognito login page for OpenSearch Dashboards.
(Optional) If you turn on fine-grained access controls, then add an Amazon Cognito identity pool role
If you turn on fine-grained access control for your OpenSearch Service cluster, then you might receive a missing role error.
To resolve the missing role error, complete the following steps:
- Open the OpenSearch Service console.
- In the navigation pane, under Managed clusters, choose Domains.
- Select your domain, and then choose Actions.
- Choose Edit security configurations.
- Choose Set IAM ARN as your master user.
- For IAM ARN, enter the Amazon Cognito identity pool role's Amazon Resource Name (ARN).
- Choose Save.
For more information about fine-grained access control, see Tutorial: Configure a domain with an IAM master user and Amazon Cognito authentication.
Related information
Configuring Amazon Cognito authentication for OpenSearch Dashboards
Launching your Amazon OpenSearch Service domains within a VPC