When using Fine grained access control in OpenSearch how do I add 'cluster:monitor/health' permissions?


CUrrently I'm getting errors from the console because my AWS user doesn't have the correct permissions for the cluster health and indices pages.

I tried to add a 'cluster:monitor/health' and 'es:*' permissions but neither worked. What do I need to do in order to fix these errors?

The indices page also fails becasue of a lack of 'indices:monitor/stats' permissions

1 Answer


I understand you would like to add permissions to fine grained access control in OpenSearch and the AWS user doesn't have the correct permissions.

Fine-grained access control lets user perform action. You manage fine-grained access control permissions using roles, users, and mappings. This section describes how to create and apply those resources. We recommend that you sign in to Dashboards as the master user to perform these operations. Kindly follow the steps listed below:

Create roles

Just like users, you can create roles using OpenSearch Dashboards, roles.yml, or the REST API. OpenSearch Dashboards

Choose Security, Roles, and Create role.
Provide a name for the role.
Add permissions as desired.

For example, you might give a role no cluster permissions, read permissions to two indexes, unlimited permissions to a third     index, and read permissions to the analysts tenant.
Choose Submit.

Map users to roles

If you didn’t specify roles when you created your user, you can map roles to it afterwards.

Just like users and roles, you create role mappings using OpenSearch Dashboards, roles_mapping.yml, or the REST API. OpenSearch Dashboards

Choose Security, Roles, and a role.
Choose the Mapped users tab and Manage mapping.
Specify users or external identities (also known as backend roles).
Choose Map.

**If the answer is helpful, please click "Accept Answer" and upvote it. **

Kind regards, Ahmed

Reference: [1] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html [2] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-concepts [3] https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createupdatedomains.html

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions