403 when testing demo data Kinesis Data Firehose to OpenSearch Serverless

Hi! I'm copying this tutorial almost exactly: https://aws.amazon.com/blogs/big-data/serverless-logging-with-amazon-opensearch-serverless-and-amazon-kinesis-data-firehose/

I've set up OpenSearch Serverless with Network access = Public, and a Kinesis Data Firehose delivery stream that delivers to it. I've then edited the data access policy and tried a lot of different things, granting

index/*/* | index | aoss:*

to the Firehose IAM name. I've tried both selecting the IAM role from the dropdown ("arn:aws:iam::<account_id>:role/service-role/<IAM_role_name>") and copying the syntax from the tutorial ("arn:aws:sts::<account_id>:assumed-role/<IAM_role_name>/*").

When I use the "test with demo data" on Kinesis Firehose, I end up with the following errors:

• "message": "Error received from the Amazon OpenSearch Service cluster or OpenSearch Serverless collection. If the cluster or collection is behind a VPC, ensure network configuration allows connectivity. {"status":403,"request-id":"32af50b5-152a-931a-9e96-688f91bb34d1","error":{"reason":"403 Forbidden","type":"Forbidden"}}", "errorCode": "OS.ServiceException"
• "message": "Authentication/authorization error during attempt to deliver data to destination ES/OS cluster. This can happen due to any permission issues and/or intermittently when your firehose target ES/OS domain configuration is modified. Please check the cluster policy and role permissions.", "errorCode": ""

Any ideas?