By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lambda role not authorized to perform get action to opensearch

0

I have a lambda function with python code that connects to my opensearch service. Now when i test the code in lambda i get this error: "body": "{\"Message\":\"User: arn:aws:sts::700875800956:assumed-role/lambdaRole/testFunction is not authorized to perform: es:ESHttpGet because no identity-based policy allows the es:ESHttpGet action\"}"

But the lambdaRole has all this permissions, so i dont know what i'm doing wrong: Enter image description here

This is the json of the opensearchservice policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "es:DeleteOutboundConnection",
                "es:UpdateVpcEndpoint",
                "es:DeletePackage",
                "es:ListVpcEndpoints",
                "es:ListVpcEndpointsForDomain",
                "es:ListElasticsearchInstanceTypeDetails",
                "es:ListDomainsForPackage",
                "es:ListInstanceTypeDetails",
                "es:AuthorizeVpcEndpointAccess",
                "es:AcceptInboundConnection",
                "es:DeleteElasticsearchServiceRole",
                "es:DescribeInboundConnections",
                "es:DescribeOutboundConnections",
                "es:DescribeReservedInstances",
                "es:AcceptInboundCrossClusterSearchConnection",
                "es:DescribeReservedInstanceOfferings",
                "es:DescribeInstanceTypeLimits",
                "es:DescribeVpcEndpoints",
                "es:ListVpcEndpointAccess",
                "es:DeleteInboundCrossClusterSearchConnection",
                "es:DescribeOutboundCrossClusterSearchConnections",
                "es:DeleteOutboundCrossClusterSearchConnection",
                "es:DescribeReservedElasticsearchInstanceOfferings",
                "es:CreateServiceRole",
                "es:CreateElasticsearchServiceRole",
                "es:UpdatePackage",
                "es:RejectInboundCrossClusterSearchConnection",
                "es:DeleteInboundConnection",
                "es:GetPackageVersionHistory",
                "es:RejectInboundConnection",
                "es:PurchaseReservedElasticsearchInstanceOffering",
                "es:CreateVpcEndpoint",
                "es:DescribeInboundCrossClusterSearchConnections",
                "es:ListVersions",
                "es:DescribeReservedElasticsearchInstances",
                "es:ListDomainNames",
                "es:PurchaseReservedInstanceOffering",
                "es:CreatePackage",
                "es:DeleteVpcEndpoint",
                "es:DescribePackages",
                "es:ListElasticsearchInstanceTypes",
                "es:ListElasticsearchVersions",
                "es:DescribeElasticsearchInstanceTypeLimits",
                "es:RevokeVpcEndpointAccess"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "es:*",
            "Resource": "arn:aws:es:xxxx:domain/project"
        }
    ]
}
Topics
ServerlessComputeSecurity, Identity, & ComplianceAnalytics
Tags
ServerlessAWS LambdaAWS Identity and Access ManagementAmazon OpenSearch ServiceIAM Policies
Language
English
robbe
asked a year ago724 views
1 Answer
0

The posted policy does not seem to contain the ESHttpGet.

Try add that to the policy and see if it allows it.

Alternatively could be related to fact that ES requests may have to be signed with sigv4. Check these out:

  1. https://docs.aws.amazon.com/opensearch-service/latest/developerguide/request-signing.html
  2. https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-an-easy-way-to-send-aws-sigv4-signed-requests/
profile picture
EXPERT
Antonio_Lagrotteria
answered a year ago
  • robbe
    a year ago

    I added it but then i gett this error:

    "body": "{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxx:role/lambdaRole, backend_roles=[arn:aws:iam::xxx:role/lambdaRole], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxx:role/lambdaRole, backend_roles=[arn:aws:iam::xxxx:role/lambdaRole], requestedTenant=null]"},"status":403}"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content