Anthony helps you troubleshoot
"User: anonymous is not authorized"
errors with Elasticsearch


When I view my Elasticsearch Service domain from the AWS console, the cluster is displayed with an Active status, but I am unable to access it. I receive the message “User: anonymous is not authorized”.

Requests return this error when they are unsigned or when there is an error in the syntax of the access policy.

To troubleshoot this issue, check the following:

  • Verify that you are using a client that supports credential signing, and that your requests are being signed correctly. AWS uses the Signature Version 4 Signing Process to add authentication information to AWS requests; requests from clients that aren’t compatible with Signature Version 4 are rejected with an ‘anonymous is not authorized’ error. For examples of well-formed requests to Elasticsearch, see Signing an Amazon Elasticsearch Service Search Request.
  • Verify that the users and resources specified in the access policy have the correct Amazon Resource Name (ARN) specified. For general information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces.
  • Ensure that IP addresses specified in the access policy use CIDR notation. Access policies use CIDR notation when checking your IP address against the IP addresses specified by the policy.
  • Verify that the IP addresses specified in your access policy match the IP addresses you are using to access your Elasticsearch cluster. Your IP may have changed since the access policy was originally configured. You can determine the public-facing IP address of any instance at

Review Troubleshoot IAM Policies for additional troubleshooting information.

Elasticsearch, anonymous, not authorized, access policy, IAM, ARN, AWS console, CIDR notation, cluster

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-11-01