Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

构建opensearch serveless服务后使用iam boto python script链接403 error, user dose not have permission

0

你好构建了opensearch 集合服务后,创建了相应的access key id, 和secreat key, 使用boto3代码访问持续出现下面的error: opensearchpy.exceptions.AuthorizationException: AuthorizationException(403, 'security_exception', 'OpenSearch exception [type=authorization_exception, reason=User does not have permissions for the requested resource]')

Data access 已经显示有下面的principal: Principals arn:aws:iam::????:role/???? arn:aws:iam::????:user/???? 已经相关的代码如下: `import boto3 from opensearchpy import OpenSearch, RequestsHttpConnection from requests_aws4auth import AWS4Auth

Initialize a session using Boto3

session = boto3.Session()

Retrieve credentials

credentials = session.get_credentials() region = 'us-east-2' # e.g., 'us-west-2'

Create AWS4Auth object for OpenSearch Serverless

awsauth = AWS4Auth( credentials.access_key, credentials.secret_key, region, 'aoss', # Changed from 'es' to 'aoss' for OpenSearch Serverless session_token=credentials.token )

client = OpenSearch( hosts=[{'host': '????', 'port': 443}], http_auth=awsauth, use_ssl=True, verify_certs=True, connection_class=RequestsHttpConnection )

Test basic connectivity

try: print("Testing basic connectivity...") response = client.cat.health() print("Health check passed:", response) except Exception as e: print("Health check failed:", e)

Test listing indices

try: print("\nTesting list indices...") indices = client.cat.indices() print("Existing indices:", indices) except Exception as e: print("List indices failed:", e)

Test creating index (might fail due to permissions)

try: print("\nTesting create index...") client.indices.create(index="test-index") print("Index created successfully") except Exception as e: print("Create index failed:", e)`

请问我同时export AWS_ACCESS_KEY_ID=???? export AWS_SECRET_ACCESS_KEY=???? 这两个就是IAM管理构建的时候在access key那个模块那构建的,问什么还是会有访问access permission deny呢

Topics
AnalyticsDatabaseSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon OpenSearch ServerlessAmazon OpenSearch Service Ingestion
Language
English
asked 7 months ago78 views
2 Answers
0

The 403 error you're encountering with OpenSearch Serverless is due to missing IAM permissions, even though you've set up the Data Access Policy correctly.

For OpenSearch Serverless, having a Data Access Policy that includes your IAM principal (user/role) is necessary but not sufficient. You also need to ensure that the IAM identity you're using has two specific IAM permissions:

  1. aoss:APIAccessAll - For accessing OpenSearch Serverless data plane APIs
  2. aoss:DashboardsAccessAll - For accessing OpenSearch Dashboards

Without these permissions, you'll continue to receive 403 errors even if your principal is listed in the Data Access Policy.

To fix this issue:

  1. Attach an IAM policy to your user or role that includes these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"aoss:APIAccessAll",
"aoss:DashboardsAccessAll"
],
"Resource": "*"
}
]
}
  1. After adding these permissions, your boto3 script should be able to connect successfully.

If you continue to experience issues after adding these permissions, verify that your AWS credentials are correct and that your network policy allows access from your location (public access or VPC endpoint as appropriate).
Sources
Troubleshoot OpenSearch Serverless errors | AWS re:Post
Data access control for Amazon OpenSearch Serverless - Amazon OpenSearch Service

answered 7 months ago
0

AuthorizationException(403, 'security_exception', 'OpenSearch exception [type=authorization_exception, reason=User does not have permissions for the requested resource] same issue here

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content