403 error when launching Opensearch Application for Cluster Insights

When you encounter a 403 Forbidden error while trying to access OpenSearch Dashboards or applications, this typically indicates an authorization issue. Based on your description, there are several potential causes to investigate:

1. IAM Permissions: While you mentioned having adequate IAM permissions, ensure your IAM identity specifically has the aoss:DashboardsAccessAll and aoss:APIAccessAll actions in its permissions policy for accessing OpenSearch Dashboards and the OpenSearch Serverless data plane APIs.

2. Data Access Policy: Verify that your collection's data access policy contains the correct permissions for the collection and index resources. Also, confirm that the policy contains the correct IAM identity in the Principal section.

3. Backend Role Mapping: If you're using fine-grained access control, ensure you've properly mapped your IAM role to the appropriate backend role in OpenSearch Dashboards:

• Navigate to Security > Roles > [appropriate role]
• Select Mapped users > Manage mapping
• Under Backend roles, verify your IAM role ARN is listed
• Confirm the role appears under Mapped users

4. Authorization Strategy: Ensure that the authorization strategy selected matches your configuration (e.g., basic auth vs. SigV4). If using basic auth, verify that the correct credentials are provided.

5. Dashboard Access: For OpenSearch Serverless, check if you have enabled "Access to OpenSearch Dashboards" which is disabled by default:

• Go to OpenSearch > Collections > your collection
• Scroll to Network section
• Click Manage network access > click into network policy name
• Choose edit, scroll to the bottom
• Enable "Access to OpenSearch Dashboards" and set appropriate filters

If you've verified all these settings and still encounter the 403 error, you might need to check the specific error message details to identify which permission is missing or incorrectly configured.
Sources
Troubleshoot OpenSearch Serverless errors | AWS re:Post
Unable to pass role ml_full_access in AWS Opensearch | AWS re:Post
Getting a 401 when trying to access OpenSearch serverless dashboard | AWS re:Post
Fine-grained access control in Amazon OpenSearch Service - Amazon OpenSearch Service

When encountering a 403 Forbidden error (indicating an authorization issue) while accessing OpenSearch UI Dashboard applications, it's important to understand that the solution depends on whether you're using OpenSearch Domain or OpenSearch Serverless, as they use different access control mechanisms[1].

OpenSearch Domain with Fine-Grained Access Control as Associated data sources

If you're using OpenSearch Domain as your data source, follow these steps:

a. Verify IAM Role Permissions Required permissions include [2]:

• es:*Application permissions (for application management)
• es:*Tags permissions (for tag management)
• es:DescribeDomain and es:GetDirectQueryDataSource (for data source association)
• es:ESHttp* and opensearch:DirectQuery (for data source access)
• iam:CreateServiceLinkedRole (for service-linked role creation)

b. Check Fine-Grained Access Control Settings [3]

• Ensure IAM users/Roles are mapped to appropriate backend roles
• Required roles: security_manager and all_access (for administrators) Or configure custom roles with relevant permissions

c. VPC Configuration (if applicable) [4] For domains within a VPC, authorize OpenSearch applications under the Source Domain VPC endpoints tab

OpenSearch Serverless Collection as Associated data sources

If using OpenSearch Serverless, ensure:

i) User/Role has Required Permissions [2]

• aoss:BatchGetCollection (for data source association)
• aoss:APIAccessAll (for data source access)
• iam:CreateServiceLinkedRole (for service-linked role creation)

ii) Access Configuration

• Configure data access policy to include authenticating user/role ARN [5]
• Set up network policy rules (public access or interface endpoint) [6]

Sources

1. OpenSearch Domain Vs OpenSearch Serverless: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-comparison.html

2. Permission requirements for OpenSearch UI applications: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application-getting-started.html#application-prerequisite-permissions

3. Mapping roles to users: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-access-control:~:text=Mapping%20roles%20to%20users

4. Opensearch Domain VPC Access Management: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/application-data-sources-and-vpc.html#application-manage-vpc-access

5. Opensearch Serverless data access policies: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-data-access.html#serverless-data-access-syntax

6. Opensearch Serverless Network policies:: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-network.html#serverless-network-cli

7. Cluster Insights: Unified monitoring dashboard for Amazon OpenSearch Service clusters: https://aws.amazon.com/blogs/big-data/introducing-cluster-insights-unified-monitoring-dashboard-for-amazon-opensearch-service-clusters/