Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I assign read-only permission to users who access Amazon Cognito user pools with OpenSearch?

3 minute read
0

I don't want Amazon Cognito users to have full access to the user pools when they use OpenSearch Dashboards.

Resolution

Domain with fine-grained access control turned off

If you didn't turn on fine-grained access control on your OpenSearch domain, then use the domain access policy of the OpenSearch cluster to restrict access. The policy gives read-only access to your Cognito users. Set the ESHttpGet permission to the role that's associated with the Cognito sign-in.

Example domain access policy with ESHttpGet permission:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::account-id:role/Cognito_identity-pool-name Auth_Role"
      },
      "Action": "es:ESHttpGet",
      "Resource": "arn:aws:es:region:account-id:domain/opensearch-domain-name/"
    }
  ]
}

Note: Replace account-id with your AWS account's ID and identity-pool-name with your Cognito identity pool name. Also, replace region with your AWS Region and opensearch-domain-name with your OpenSearch domain name.

For more information, see Configuring a domain to use Amazon Cognito authentication.

After you apply the policy, test it, and then send a signed request to your domain to confirm that you can perform only the GET operation on the domain.

OpenSearch cluster with fine-grain access control turned on

Complete the following steps:

  1. Open the Cognito console.

  2. Select your user pool, and then, choose Create user.

  3. Create a user with a name such as, limited-user.

  4. Create an AWS Identity and Access management (IAM) role for the limited-user, for example LimitedUserRole. As a primary user, use the IAM role to assign limited access to specific users.

  5. Attach the following trust policy to LimitedUserRole:

    {  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com :aud": "identity-pool-id"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com :amr": "authenticated"
        }
      }
    }
  ]
}

    Note: Replace identity-pool-id with your Cognito identity pool ID.

  6. Attach the following custom inline policy that grants read-only permissions to the OpenSearch domain:

    {  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOpenSearchReadAccess",
      "Effect": "Allow",
      "Action": [
        "es:ESHttpGet"
      ],
      "Resource": "arn:aws:es:region:account-id:domain/"
    }
  ]
}

    Note: Replace region with your Region and account-id with your account's ID.

  7. Create a group with a name such as, limited-user-group, and then assign the LimitedUserRole IAM role to the group.

  8. Choose limited-user-group, and then add limited-user and other users to the group.

Map limited-user to a role on OpenSearch Dashboards

  1. Log in to OpenSearch Dashboards as the primary user.
  2. Choose Security.
  3. Choose Roles, and then select your role. Or, create a new role. For more information, see Create roles on the OpenSearch website.
    Note: You can also use the predefined role readall_and_monitor or readall. For more information, see Predefined roles on the OpenSearch website.
  4. Map the role to limited-user.
  5. Log in as a limited-user.
    Note: You can't perform write operations on OpenSearch Dashboards.
Topics
Analytics
Tags
Amazon OpenSearch Service
Language
English
AWS OFFICIALUpdated 5 months ago
No comments

Relevant content