I get a "User: anonymous is not authorized" error when I try to access my Elasticsearch cluster

Last updated: 2020-06-30

When I try to access my Amazon Elasticsearch Service (Amazon ES) domain or Kibana, I receive the following error message: "User: anonymous is not authorized". How do I resolve this error?

Short description

Requests return this error when they are unsigned and come from a source IP address that isn't allowed in the access policy. Requests also return this error when there is an error in the syntax of the access policy.

Resolution

If you are using a client that doesn't support request signing (such as a browser), consider the following:

  • Use an IP-based access policy. IP-based policies allow unsigned requests to an Amazon ES domain.
  • Be sure that the IP addresses specified in the access policy use CIDR notation. Access policies use CIDR notation when checking IP address against the access policy.
  • Verify that the IP addresses specified in the access policy are the same ones used to access your Elasticsearch cluster. You can get the public IP address of your local computer at https://checkip.amazonaws.com/.

Note: If you're receiving an authorization error, check to see if you are using a public or private IP address. IP-based access policies can't be applied to Amazon ES domains that reside within a virtual private cloud (VPC). This is because security groups already enforce IP-based access policies. For public access, IP-based policies are still available. For more information, see About access policies on VPC domains.

If you are using a client that supports request signing, check the following:

If your Amazon ES domain resides within a VPC, configure an open access policy with or without a proxy server. Then, use security groups to control access. For more information, see About access policies on VPC domains.