How do I troubleshoot fine-grained access control errors in my Amazon OpenSearch Service cluster?

Last updated: 2021-08-05

I'm experiencing access control errors in my Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) cluster. How do I troubleshoot and resolve access control errors?

Short description

You might experience one of the following fine-grained access control errors in your OpenSearch Service cluster:

  • "security_exception","reason":"no permissions" 403 errors
  • "User: anonymous is not authorized to perform: iam:PassRole"
  • "Couldn’t find any Elasticsearch data"
  • 401 unauthorized errors

In addition to troubleshooting these errors, this article shows you how to complete the following tasks using OpenSearch Service:

  • Integrate other AWS services with OpenSearch Service when field-grained access control is enabled
  • Allow anonymous access using fine-grained access control
  • Provide fine grained access to specific indices, dashboards, and visualizations based on user tenancy
  • Use fine-grained access control at a field level

Resolution

"security_exception","reason":"no permissions" 403 errors

To resolve this error, first check if the user or backend role in your OpenSearch Service cluster has the required permissions. Then, map the user or backend role to a role.

"User: anonymous is not authorized to perform: iam:PassRole"

You might receive this error when you try to register a manual snapshot. As well as the normal permissions required for the Amazon Identity and Access Management (IAM) role that you used to register the manual snapshot, you must map the manage_snapshots role to the IAM role. Then, use that IAM role to send a signed request to the domain.

"Couldn’t find any Elasticsearch data"

You might receive this error when you try to create index patterns after upgrading to OpenSearch Service version 7.9. Use the resolve API to add "indices:admin/resolve/index" to all indices and aliases when creating an index pattern in a FGAC enabled cluster. When this permission is missing, OpenSearch Service throws a 403 error status code. This is in turn mapped to a 500 error status code from OpenSearch Dashboards. As a result, the indices are not listed.

401 unauthorized errors

You might receive a 401 unauthorized error when you use the "$" or "!" characters in primary credentials with curl -u “user:password” . Make sure to put your credentials in single quotes, as in the following example:

curl -u 'user:password' <DOMAIN-ENDPOINT>

Integrate other AWS services with OpenSearch Service when field-grained access control is enabled

To integrate another AWS service with OpenSearch Service when field-grained access control is enabled, you must give the IAM roles for those services the appropriate permissions. For more information, see the following documentation on using Integrations with fine-grained access control.

Allow anonymous access using fine-grained access control

Because of the managed nature of OpenSearch Service, anonymous access isn't currently supported.

Provide fine-grained access to specific indices, dashboards, and visualizations based on user tenancy

To provide FGAC access to specific indices or dashboards, map the user to a role that has permissions to the tenant's Kibana index:

.kibana_<hash>_<tenant_name>

For more information, see Manage Kibana indices on the OpenDistro website.

Use fine-grained access control at a field level

To use fine-grained access control at field level, set up a role with the required field level security. Then, map the user to the role you created.


Did this article help?


Do you need billing or technical support?