1 Answer
- Newest
- Most votes
- Most comments
1
Hi THere
ESHttpPost
requires "Write" permissions so the ReadOnly policy that you attached would not give the role the proper permissions
See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html
Relevant content
- asked 8 months ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a day ago
Hi There
Instead of the AmazonOpenSearchServiceFullAccess policy, i would recommend adhering to the principle of Least privilege. You could create a policy with the specific permissions needed.
example:
{ "Effect": "Allow", "Action": "es:ESHttpPost", "Resource": "arn:aws:es:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT_ID:domain/YOUR_DOMAIN_NAME/*" }
Hi Thanks for your answer , I checked the link you provided and that makes sense. Looks like _search API with a request body is considered as POST and that needs a Write permissions.
So just adding the AmazonOpenSearchServiceFullAccess to the ECS Fargate Task role should resolve this issue and there should not be a need to add a Identity based policy on OpenSearch Domain.
Update looks like I get another error after updating AmazonOpenSearchServiceFullAccess - Caused by: OpenSearchStatusException[OpenSearch exception [type=security_exception, reason=no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxxxxxxxxxx:role/service-TaskRole, backend_roles=[arn:aws:iam::xxxxxxxxxxxxx:role/service-TaskRole], requestedTenant=null]]]
Looks like we do need additional work here to add IAM Role based Fine grained access