Lambda role not authorized to perform get action to opensearch

Question

I have a lambda function with python code that connects to my opensearch service. Now when i test the code in lambda i get this error:
`"body": "{\"Message\":\"User: arn:aws:sts::700875800956:assumed-role/lambdaRole/testFunction is not authorized to perform: es:ESHttpGet because no identity-based policy allows the es:ESHttpGet action\"}"`

But the lambdaRole has all this permissions, so i dont know what i'm doing wrong:
![Enter image description here](/media/postImages/original/IM637BIv-9T9alKXk0aVPK7g)

This is the json of the opensearchservice policy:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "es:DeleteOutboundConnection",
                "es:UpdateVpcEndpoint",
                "es:DeletePackage",
                "es:ListVpcEndpoints",
                "es:ListVpcEndpointsForDomain",
                "es:ListElasticsearchInstanceTypeDetails",
                "es:ListDomainsForPackage",
                "es:ListInstanceTypeDetails",
                "es:AuthorizeVpcEndpointAccess",
                "es:AcceptInboundConnection",
                "es:DeleteElasticsearchServiceRole",
                "es:DescribeInboundConnections",
                "es:DescribeOutboundConnections",
                "es:DescribeReservedInstances",
                "es:AcceptInboundCrossClusterSearchConnection",
                "es:DescribeReservedInstanceOfferings",
                "es:DescribeInstanceTypeLimits",
                "es:DescribeVpcEndpoints",
                "es:ListVpcEndpointAccess",
                "es:DeleteInboundCrossClusterSearchConnection",
                "es:DescribeOutboundCrossClusterSearchConnections",
                "es:DeleteOutboundCrossClusterSearchConnection",
                "es:DescribeReservedElasticsearchInstanceOfferings",
                "es:CreateServiceRole",
                "es:CreateElasticsearchServiceRole",
                "es:UpdatePackage",
                "es:RejectInboundCrossClusterSearchConnection",
                "es:DeleteInboundConnection",
                "es:GetPackageVersionHistory",
                "es:RejectInboundConnection",
                "es:PurchaseReservedElasticsearchInstanceOffering",
                "es:CreateVpcEndpoint",
                "es:DescribeInboundCrossClusterSearchConnections",
                "es:ListVersions",
                "es:DescribeReservedElasticsearchInstances",
                "es:ListDomainNames",
                "es:PurchaseReservedInstanceOffering",
                "es:CreatePackage",
                "es:DeleteVpcEndpoint",
                "es:DescribePackages",
                "es:ListElasticsearchInstanceTypes",
                "es:ListElasticsearchVersions",
                "es:DescribeElasticsearchInstanceTypeLimits",
                "es:RevokeVpcEndpointAccess"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "es:*",
            "Resource": "arn:aws:es:xxxx:domain/project"
        }
    ]
}
```

Answer

The posted policy does not seem to contain the ESHttpGet.

Try add that to the policy and see if it allows it.

Alternatively could be related to fact that ES requests may have to be signed with sigv4. Check these out:
1) https://docs.aws.amazon.com/opensearch-service/latest/developerguide/request-signing.html
2) https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-an-easy-way-to-send-aws-sigv4-signed-requests/

Lambda role not authorized to perform get action to opensearch

相关内容