- Newest
- Most votes
- Most comments
You also need to create a data access policy in OpenSearch Serverless to allow access to the collections and indexes
Example Policy from Overview of security in Amazon OpenSearch Serverless
[
{
"Rules":[
{
"ResourceType":"index",
"Resource":[
"index/marketing/orders*"
],
"Permission":[
"aoss:*"
]
}
],
"Principal":[
"arn:aws:iam::123456789012:user/Dale",
"arn:aws:iam::123456789012:role/RegulatoryCompliance",
"saml/123456789012/myprovider/user/Annie"
]
}
]
References:
- https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-security.html#serverless-security-data-access
- https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html
Also make sure your IAM user credentials are either stored in the default profile or provide boto3.Session
with the profile_name, https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#shared-credentials-file
I also had this issue and I don't believe that the suggested fixes would have solved the OP's problem.
The signer that is created is defaulting to signing requests for the es
service (elastic search) which isn't correct for serverless.
Altering the auth line to auth = AWSV4SignerAuth(credentials, region, 'aoss')
fixed it for me.
Relevant content
- asked 10 months ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
Don't items 2 and 3 in the question say that I did all this?
Hi,
for item #2 -
aws configure
can be executed to configure a profile other than default. If you're using a profile name other than default then this profile name would have to be passed to boto3.Session as a named profilefor item #3 - this tells me
a network policy rule was created allowing access to collections from Public.
Can you confirm that this policy is allowing public access to OpenSearch endpoint and not just OpenSearch Dashboards and that your collection name is selected?
a data access policy rule was created with an IAM user granted permissions.
Can you confirm that this policy is granting permissions to both indexes
index/<collection-name>/*
as well as collectionscollection/<collection-name>
?Where are you executing this Python script (local environment, EC2/Cloud9, etc)?
It is
[default]
and the only one. I am executing the script on my laptop. How do I confirm the things you suggested?Checking the Network policy
Checking the Data Access policy
Other references: Network Policies Data access policies
Thank you very much for the detailed replies. Unfortunately I had to switch away from Serverless. Unlike the promise of Amazon that with serverless one pays only for what one uses (and that is what I came to expect after using Lambda), they charge for compute resources (not talking about data storage) per hour no matter whether one performs any actual computation or not. I incurred more than $40 charge while trying to access it! I would appreciate a suggestion as to how to approach Amazon to avoid this unfair charge.