使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

How to set up IAM role to access AWS OpenSearch Service domain through terraform

0

I have an OpenSearch domain deployed in AWS and want to manage it through Terraform provider. I have the following provider block. How do I set up an IAM role that can be used to access this domain through Terraform?

provider "opensearch" {
  aws_region = "<region>"
  aws_profile = "<profile>"
  healthcheck = true
  url = "<domain_url>"
  sign_aws_requests = false
  aws_assume_role_arn = "<role_arn>"
}

I have tried by creating a role with the following trust policy and admin privileges, and added this role to the provider.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "es.amazonaws.com",
                "AWS": "arn:aws:iam::<account_no>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

But this does not work and gives me │ Error: elastic: Error 401 (Unauthorized) when I do terraform apply.

主題
無伺服器分析安全性、身分識別與合規
標籤
Amazon OpenSearch ServiceIAM 政策Terraform
語言
English
Mihir Gosai
已提問 6 個月前檢視次數 933 次
2 個答案
0

You can use the AWS Policy generator - https://awspolicygen.s3.amazonaws.com/policygen.html. Choose IAM policy and add the relevant information in order to create the policy.

profile pictureAWS
支援工程師
Ravid_G
已回答 6 個月前
0

There are a few things you can check:

  1. Ensure that the user or role associated with the aws_profile set in your provider has sts:AssumeRole permission on the role you created.
  2. The provider configuration you posted is explicitly disabling signing of AWS requests. This setting is intended for using HTTP Basic Auth. I recommend configuring your opensearch provider with sign_aws_requests = true for use with IAM authentication.
  3. If you have Fine-Grained Access Control enabled and the role you are using is not set as the master user, you may need to add a role mapping for the role you are trying to use.
profile pictureAWS
Sean Nixon
已回答 6 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容