Opensearch Serverless Cross-Account Limitations

Amazon OpenSearch serverless do not allow creating data access policy with cross account identity or cross account collection. That doesn't mean you cannot setup cross account access. You can always use assume-role to access cross account collection. Below are the sample steps.

1. Let's say you have created a collection name alb-logs in account 123456789012 with required encryption and network policy as per your requirement.
2. Now create IAM role (aoss-cross-account-role) in your account (123456789012) where you have created the collection alb-logs with required permissions and create a trust relationship with an account from where you want to access this collection. For example., if you want to have user abcdef in account 987654321012 to access your collection alb-log created in account 123456789012, you need to set up the IAM trust policy like below.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::987654321012:user/abcdef"
				]
			},
			"Action": "sts:AssumeRole",
			"Condition": {}
		}
	]
}

Note: This is just an example policy. You can setup more complex conditions for additional restrictions.

3. Update your data access policy in account 123456789012with ARN of newly created IAM role. For our example, data-access policy will look like this.

[
  {
    "Rules": [
      {
        "Resource": [
          "collection/alb-logs"
        ],
        "Permission": [
          "aoss:DescribeCollectionItems"
        ],
        "ResourceType": "collection"
      },
      {
        "Resource": [
          "index/alb-logs/*"
        ],
        "Permission": [
          "aoss:DescribeIndex",
          "aoss:ReadDocument",
        ],
        "ResourceType": "index"
      }
    ],
    "Principal": [
      "arn:aws:iam::123456789012:role/aoss-cross-account-role"
    ],
    "Description": "Rule 1"
  }
]

Note: This is just a sample policy. This policy will allow a role arn:aws:iam::123456789012:role/aoss-cross-account-role to describe alb-logs collections items and describe and read indices for any indices in collection alb-logs in account 123456789012

4. Now using credential of the user arn:aws:iam::987654321012:user/abcdef, you can call sts assume-role API to assume a role and obtain the credentials.

aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/aoss-cross-account-role"" --role-session-name AWSCLI-AOSS-Cross-Account

5. You can use credentials obtain in step#4 to access the collection alb-log created in account 123456789012 from account 987654321012

For cross account access of AOSS via VPC:

1. You can create VPC endpoint in your another account 987654321012 and it will give you vpc endpoint id like vpce-<ALPHA-NUMERIC-STRING>.
2. Update network policy in your account 123456789012 with vpc endpoint id to allow accessing collection of account 123456789012 from account 987654321012 via VPC.

Hello,

I understood that you have query about Cross-account access of Opensearch-serverless.

Does this mean that you can't set up network/data access policies that allow one AWS account to access a collection in another account via VPC?

Yes. As of now, you can't set up connection between client/application in account A and other account B that has Openserarch-Serverless cluster. You can't include collections from other accounts in your encryption or data access policies. Client application/instances needs to be in the same account where Opensearch-serverless resides to access collections in Opensearch-serverless.

I hope you find the information helpful. Please feel free to get back to me if you have any further queries regarding the same and I would be glad to assist you further.