How do I troubleshoot fine-grained access control errors in my Amazon OpenSearch Service cluster?
Last updated: 2021-08-05
I'm experiencing access control errors in my Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) cluster. How do I troubleshoot and resolve access control errors?
You might experience one of the following fine-grained access control errors in your OpenSearch Service cluster:
- "security_exception","reason":"no permissions" 403 errors
- "User: anonymous is not authorized to perform: iam:PassRole"
- "Couldn’t find any Elasticsearch data"
- 401 unauthorized errors
In addition to troubleshooting these errors, this article shows you how to complete the following tasks using OpenSearch Service:
- Integrate other AWS services with OpenSearch Service when field-grained access control is enabled
- Allow anonymous access using fine-grained access control
- Provide fine grained access to specific indices, dashboards, and visualizations based on user tenancy
- Use fine-grained access control at a field level
"security_exception","reason":"no permissions" 403 errors
"User: anonymous is not authorized to perform: iam:PassRole"
You might receive this error when you try to register a manual snapshot. As well as the normal permissions required for the Amazon Identity and Access Management (IAM) role that you used to register the manual snapshot, you must map the manage_snapshots role to the IAM role. Then, use that IAM role to send a signed request to the domain.
"Couldn’t find any Elasticsearch data"
You might receive this error when you try to create index patterns after upgrading to OpenSearch Service version 7.9. Use the resolve API to add "indices:admin/resolve/index" to all indices and aliases when creating an index pattern in a FGAC enabled cluster. When this permission is missing, OpenSearch Service throws a 403 error status code. This is in turn mapped to a 500 error status code from OpenSearch Dashboards. As a result, the indices are not listed.
401 unauthorized errors
You might receive a 401 unauthorized error when you use the "$" or "!" characters in primary credentials with curl -u “user:password”
curl -u 'user:password' <DOMAIN-ENDPOINT>
Integrate other AWS services with OpenSearch Service when field-grained access control is enabled
To integrate another AWS service with OpenSearch Service when field-grained access control is enabled, you must give the IAM roles for those services the appropriate permissions. For more information, see the following documentation on using Integrations with fine-grained access control.
Allow anonymous access using fine-grained access control
Because of the managed nature of OpenSearch Service, anonymous access isn't currently supported.
Provide fine-grained access to specific indices, dashboards, and visualizations based on user tenancy
To provide FGAC access to specific indices or dashboards, map the user to a role that has permissions to the tenant's Kibana index:
For more information, see Manage Kibana indices on the OpenDistro website.
Use fine-grained access control at a field level
To use fine-grained access control at field level, set up a role with the required field level security. Then, map the user to the role you created.