How can I delegate Amazon OpenSearch Service access across AWS accounts using IAM roles?

Last updated: 2021-08-05

I want to share the Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) resources in my account with users in a different account. How can I do this?

Short description

The easiest way to enable cross account access for your OpenSearch Service domain is to set up cross account control using an AWS Identity and Access Management (IAM) role. By adding an IAM role in the target account, you can allows users from trusted accounts to access the OpenSearch Service domain under the target account. In this way, different users in your organization can access and manage the central logging station by switching IAM roles in the AWS console.

For users to access your domain resources using an IAM role, the process is as follows:

  1. Create a role in Account A that is allowed to access the target domain.
  2. Create a user under Account B that is allowed to assume a role in Account A.
  3. Grant access to users in Account B to use role to access the target domain by switching roles.

Note: Account A is the account where the target domain resides. Account B is the account where users access the central logging station from.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Create a role and grant permissions to manage your domain

In this example, we create a role called CrossAccount-test and grant full permissions to manage the domain test.

{
    "Version": "2012-10-17",
    "Statement": [
       
        {
            "Effect": "Allow",
            "Action": [
               
        "es:*"
            ],
            "Resource": “arn:aws:es:<Region>:<Account A-ID>:domain/test/*"
       
        }
    ]
}

Edit the trust relationship of role

Next, edit the trust relationship of the role CrossAccount-test.

Note: Change the account number and user name accordingly.

{
 
        "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service":
        "es.amazonaws.com",
        "AWS": [
          "arn:aws:iam::<Account B-ID>:root",

         
        "arn:aws:iam::<Account B-ID>:user/<User Name>"
        ]
      },
      "Action": "sts:AssumeRole"
   
        }
  ]
{
 
        "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service":
        "es.amazonaws.com",
        "AWS": [
          "arn:aws:iam::<Account B-ID>:root",

         
        "arn:aws:iam::<Account B-ID>:user/<User Name>"
        ]
      },
      "Action": "sts:AssumeRole"
   
        }
  ]
}

In Steps 1 and 2, you define the user in Account B as a trusted entity and grant full permissions to allow trusted users to access your domain in Account A.

Grant access to users in Account B

In Account B, create a user or group with the following permissions:

{
    "Version": "2012-10-17",
    "Statement": {
       
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<Account A-ID>:role/<CrossAccount-test>"
   
        }
}

When you add this policy statement, you allow the AssumeRole action on the CrossAccount-test role in Account A.

Note: Be sure that you change ACCOUNT A-ID in the Resource element to your AWS account ID for Account A.

Editing the OpenSearch Service access policy to allow role to access the domain

At this point, you trust Account B to assume the role in Account A. Next, allow this role to access your domain.

Edit the OpenSearch Service access policy and enter the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
     
        "Principal": {
        "AWS": [
          "arn:aws:iam::<Account A-ID>:role/<CrossAccount-test>"
       
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:<region>:<Account A-ID>:domain/<Domain Name>/*"
   
        }
  ]
}

Test Access by switching roles

Now that you have enabled cross-account support, switch roles to test the access:

  1. Copy the CrossAccount-test arn to your clipboard.
  2. Log in to Account B using the AWS console.
  3. From the User tab, chose Switch Role in the drop-down list.
  4. On the Switch Role page, enter the account ID for Account A and the role name. In this example, the role name is CrossAccount-test.
  5. Choose Switch Role.

Note: If Account B needs to work in the Account A environment at the command line, you can switch role using the AWS CLI. For more information, see Switch roles (AWS CLI).

Your user permissions immediately switch to those permitted by the role that you created under Account A. By setting up your cross-account access in this way, your users don't need to create individual IAM users under different accounts. You also don't have to sign out from one account and then sign into another to access a resource.


Did this article help?


Do you need billing or technical support?