How to automate Opensearch Dashboard Security and Alerting Tasks


I have created the Opensearch Dashboard with Cognito Authentication and Fine Grained access control using CDK and able to login to the Dashboard and create Roles, map roles, create monitors, destinations etc in the Dashboard UI. But i would like to create these as part of the CDK stack itself using Custom Resource via Lambda but i'm not able to find opensearch dashboard client to perform this operations from Nodejs lambda. Any pointers on this would be really helpful.

3 Answers
Accepted Answer

There is no Opensearch Dashboard SDK available at this time but I'm able to achieve this as part of the CDK Stack using Custom Resource Lambda, Opensearch Dashboard APIs, AWS NodeHttpClient with Sigv4. There is an open requests for adding this capability in the Javascript client though.

answered 2 years ago

Steps I did:

  • Add a role for lambda used by custom resource
  • update internal roles for Opensearch domain to accept the IAM role as a backend_role for "all_access" internal role, with a request made by lambda, similar to this
curl -X PUT "" -H "Content-Type: application/json" -H "kbn-xsrf: true" -u "master_username:master_password" -d '{
  "backend_roles": ["arn:aws:iam::xxxxxxxx:role/ROLE-NAME"],
  "hosts": [],
  "users": ["master_username"]
const generateRequest = (request: HttpRequestType) => {
  // Promise wrapper for https request
  return new Promise((resolve, reject) => {
    const options = {
      hostname: request.hostname,
      port: request.port,
      protocol: request.protocol,
      path: request.path,
      method: request.method,
      headers: request.headers,
    const req = https.request(options, (res) => {
      let responseBody = "";

      res.on("data", (d) => {
        responseBody += d;

      res.on("end", () => {

    req.on("error", (error) => {

    // Write data to request body

  const credentials = await defaultProvider()();
  const signer = new SignatureV4({
    region: process.env.AWS_REGION,
    service: "es",
    sha256: Sha256,

  const indexPatternRequest = new HttpRequest({
    body: JSON.stringify({
      attributes: {
        title: IndexPattern,
    port: 443,
    protocol: "https:",
    hostname: DomainDashboardUrl,
    path: "/_dashboards/api/saved_objects/index-pattern",
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      "osd-xsrf": "true", // Required by OpenSearch Dashboards for all save operations
      Host: DomainDashboardUrl,

  const signedRequest = await signer.sign(indexPatternRequest);

  const sendRequest = generateRequest(signedRequest);
  const response = await sendRequest;
answered 3 months ago

Hi, there is a CDK construct library to manage OpenSearch resources such as role or role mapping.

You can create OpenSearch resources with the following code:

import { OpenSearchRole, OpenSearchRoleMapping } from 'opensearch-rest-resources';

const role = new OpenSearchRole(this, 'Role1', {
    roleName: 'Role1',
    payload: {
        clusterPermissions: ['indices:data/write/bulk'],
        indexPermissions: [
                indexPatterns: ['*'],
                allowedActions: ['read', 'write', 'index', 'create_index'],

const roleMapping = new OpenSearchRoleMapping(this, 'RoleMapping1', {
    roleName: 'Role1',
    payload: {
        backendRoles: [role.roleArn],
    removalPolicy: RemovalPolicy.RETAIN,
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions