I get a "User: anonymous is not authorized" error when I try to access my Elasticsearch cluster
Last updated: 2020-09-18
When I try to access my Amazon Elasticsearch Service (Amazon ES) domain or Kibana, I receive the following error message: "User: anonymous is not authorized". How do I resolve this error?
Requests return this error when they are unsigned and come from a source IP address that isn't allowed in the access policy. Requests also return this error when there is an error in the syntax of the access policy.
If you are using a client that doesn't support request signing (such as a browser), consider the following:
- Use an IP-based access policy. IP-based policies allow unsigned requests to an Amazon ES domain.
- Be sure that the IP addresses specified in the access policy use CIDR notation. Access policies use CIDR notation when checking IP address against the access policy.
- Verify that the IP addresses specified in the access policy are the same ones used to access your Elasticsearch cluster. You can get the public IP address of your local computer at https://checkip.amazonaws.com/.
Note: If you're receiving an authorization error, check to see if you're using a public or private IP address. IP-based access policies can't be applied to Amazon ES domains that reside within a virtual private cloud (VPC). This is because security groups already enforce IP-based access policies. For public access, IP-based policies are still available. For more information, see About access policies on VPC domains.
If you're using a client that supports request signing, check the following:
- Be sure that your requests are correctly signed. AWS uses the Signature Version 4 signing process to add authentication information to AWS requests. Requests from clients that aren't compatible with Signature Version 4 are rejected with a "User: anonymous is not authorized" error. For examples of correctly signed requests to Amazon ES, see Making and signing Amazon ES requests.
- Verify that the correct Amazon Resource Name (ARN) is specified in the access policy.
If your Amazon ES domain resides within a VPC, configure an open access policy with or without a proxy server. Then, use security groups to control access. For more information, see About access policies on VPC domains.