Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Issues Connecting Service hosted on Fargate to OpenSearch in Same VPC

0

Hi all, We have service hosted on ECS Fargate & we have an OpenSearch Domain that has fine-grained access enabled[user]. On Service side we have enabled the OpenSearchServiceReadOnlyAccess since service is just doing get /search operations on the OpenSearch Domain Enter image description here

On OpenSearch Domain side we have below - Enter image description here

When a Service ECS task try to make search calls on OpenSearch Domain we get a bellow error -

User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/service-TaskRole/54bbad32d1f24ee99e40f74f36f076b5 is not authorized to perform: es:ESHttpPost because no identity-based policy allows the es:ESHttpPost action

Can some one help . Do I need to add an Identity based policy like below -

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "es:*"
      ],
      "Effect": "Allow",
      "Resource":  "arn:aws:sts::xxxxxxxxxxxx:assumed-role/domain/*"
    }
  ]
}

Or is there anything else we want to do ?

Tópicos
Sem servidorContêineresAnáliseSegurança, identidade e conformidade
Tags
AWS FargateServiço do Amazon OpenSearchPolíticas do IAM
Idioma
English
AWS-User-2040364
feita há um mês215 visualizações
1 Resposta
1

Hi THere

ESHttpPost requires "Write" permissions so the ReadOnly policy that you attached would not give the role the proper permissions

See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html

profile pictureAWS
ESPECIALISTA
Matt-B
respondido há um mês
profile picture
ESPECIALISTA
Osvaldo Marte
avaliado há um mês
  • Matt-B ESPECIALISTA
    há um mês

    Hi There

    Instead of the AmazonOpenSearchServiceFullAccess policy, i would recommend adhering to the principle of Least privilege. You could create a policy with the specific permissions needed.

    example:

    { "Effect": "Allow", "Action": "es:ESHttpPost", "Resource": "arn:aws:es:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT_ID:domain/YOUR_DOMAIN_NAME/*" }

  • AWS-User-2040364
    há um mês

    Hi Thanks for your answer , I checked the link you provided and that makes sense. Looks like _search API with a request body is considered as POST and that needs a Write permissions.

    So just adding the AmazonOpenSearchServiceFullAccess to the ECS Fargate Task role should resolve this issue and there should not be a need to add a Identity based policy on OpenSearch Domain.

    Update looks like I get another error after updating AmazonOpenSearchServiceFullAccess - Caused by: OpenSearchStatusException[OpenSearch exception [type=security_exception, reason=no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxxxxxxxxxx:role/service-TaskRole, backend_roles=[arn:aws:iam::xxxxxxxxxxxxx:role/service-TaskRole], requestedTenant=null]]]

    Looks like we do need additional work here to add IAM Role based Fine grained access

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante