I am trying to create Domain in open search, I used the Below IAM permission but everytime it is giving me this error-:
Before you can proceed, you must enable a service-linked role to give Amazon OpenSearch Service permissions to create and manage resources on your behalf
I have also attached the Service Linked Role but still I am facing the Issue
I am using this IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpDelete",
"es:ESHttpGet",
"es:ESHttpHead",
"es:ESHttpPost",
"es:ESHttpPut",
"es:ESHttpPatch",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"es:AddTags",
"es:AssociatePackage",
"es:CreateDomain",
"es:CreateOutboundConnection",
"es:DeleteDomain",
"es:DescribeDomain",
"es:DescribeDomainAutoTunes",
"es:DescribeDomainConfig",
"es:DescribeDomains",
"es:DissociatePackage",
"es:ESCrossClusterGet",
"es:GetCompatibleVersions",
"es:GetUpgradeHistory",
"es:GetUpgradeStatus",
"es:ListPackagesForDomain",
"es:ListTags",
"es:RemoveTags",
"es:StartServiceSoftwareUpdate",
"es:UpdateDomainConfig",
"es:UpdateNotificationStatus",
"es:UpgradeDomain"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"es:AcceptInboundConnection",
"es:CancelServiceSoftwareUpdate",
"es:CreatePackage",
"es:CreateServiceRole",
"es:DeletePackage",
"es:DescribeInboundConnections",
"es:DescribeInstanceTypeLimits",
"es:DescribeOutboundConnections",
"es:DescribePackages",
"es:DescribeReservedInstanceOfferings",
"es:DescribeReservedInstances",
"es:GetPackageVersionHistory",
"es:ListDomainNames",
"es:ListDomainsForPackage",
"es:ListInstanceTypeDetails",
"es:ListInstanceTypes",
"es:ListNotifications",
"es:ListVersions",
"es:PurchaseReservedInstanceOffering",
"es:RejectInboundConnection",
"es:UpdatePackage"
],
"Resource": ""
},
{
"Sid": "AllowCreationOfServiceLinkedRoleForOpenSearch",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam:::role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService*",
"arn:aws:iam:::role/aws-service-role/es.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService"
],
"Condition": {
"StringLike":{
"iam:AWSServiceName": [
"opensearchservice.amazonaws.com",
"es.amazonaws.com"
]
}
}
}
]
}