By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issues Connecting Service hosted on Fargate to OpenSearch in Same VPC

0

Hi all, We have service hosted on ECS Fargate & we have an OpenSearch Domain that has fine-grained access enabled[user]. On Service side we have enabled the OpenSearchServiceReadOnlyAccess since service is just doing get /search operations on the OpenSearch Domain Enter image description here

On OpenSearch Domain side we have below - Enter image description here

When a Service ECS task try to make search calls on OpenSearch Domain we get a bellow error -

User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/service-TaskRole/54bbad32d1f24ee99e40f74f36f076b5 is not authorized to perform: es:ESHttpPost because no identity-based policy allows the es:ESHttpPost action

Can some one help . Do I need to add an Identity based policy like below -

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "es:*"
      ],
      "Effect": "Allow",
      "Resource":  "arn:aws:sts::xxxxxxxxxxxx:assumed-role/domain/*"
    }
  ]
}

Or is there anything else we want to do ?

Topics
ServerlessContainersAnalyticsSecurity, Identity, & Compliance
Tags
AWS FargateAmazon OpenSearch ServiceIAM Policies
Language
English
AWS-User-2040364
asked 25 days ago178 views
1 Answer
1

Hi THere

ESHttpPost requires "Write" permissions so the ReadOnly policy that you attached would not give the role the proper permissions

See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html

profile pictureAWS
EXPERT
Matt-B
answered 25 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 25 days ago
  • Matt-B EXPERT
    25 days ago

    Hi There

    Instead of the AmazonOpenSearchServiceFullAccess policy, i would recommend adhering to the principle of Least privilege. You could create a policy with the specific permissions needed.

    example:

    { "Effect": "Allow", "Action": "es:ESHttpPost", "Resource": "arn:aws:es:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT_ID:domain/YOUR_DOMAIN_NAME/*" }

  • AWS-User-2040364
    25 days ago

    Hi Thanks for your answer , I checked the link you provided and that makes sense. Looks like _search API with a request body is considered as POST and that needs a Write permissions.

    So just adding the AmazonOpenSearchServiceFullAccess to the ECS Fargate Task role should resolve this issue and there should not be a need to add a Identity based policy on OpenSearch Domain.

    Update looks like I get another error after updating AmazonOpenSearchServiceFullAccess - Caused by: OpenSearchStatusException[OpenSearch exception [type=security_exception, reason=no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxxxxxxxxxx:role/service-TaskRole, backend_roles=[arn:aws:iam::xxxxxxxxxxxxx:role/service-TaskRole], requestedTenant=null]]]

    Looks like we do need additional work here to add IAM Role based Fine grained access

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content