I get a "User: anonymous is not authorized" error when I try to access my Elasticsearch cluster
Last updated: 2020-02-05
When I try to access my Amazon Elasticsearch Service (Amazon ES) domain or Kibana, I receive the following error message: “User: anonymous is not authorized”.
Requests return this error when they are unsigned and come from a source IP address that isn't allowed in the access policy. Requests also return this error when there is an error in the syntax of the access policy.
If you are using a client that doesn't support request signing, such as a browser:
- Use an IP-based access policy. IP-based policies allow unsigned requests to an Amazon ES domain.
- Make sure that the IP addresses specified in the access policy uses CIDR notation. Access policies use CIDR notation when checking IP address against the access policy.
- Verify that the IP addresses specified in the access policy match the IP addresses that you're using to access your Elasticsearch cluster. Your IP address might have changed since the time that the access policy was first configured. You can get the public IP address of your local computer at https://checkip.amazonaws.com/.
If you are using a client that supports request signing, check the following:
- Make sure that your requests are signed correctly. AWS uses the Signature Version 4 Signing Process to add authentication information to AWS requests. Requests from clients that aren't compatible with Signature Version 4 are rejected with the error "User: anonymous is not authorized". For examples of correctly signed requests to Amazon ES, see Making and Signing Amazon ES Requests.
- Verify that the correct Amazon Resource Name (ARN) is specified in the access policy.