I get a "User: anonymous is not authorized" error when I try to access my Amazon OpenSearch Service cluster
Last updated: 2021-09-23
When I try to access my Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain or OpenSearch Dashboards, I receive an error. How do I resolve this?
You receive the following error when requests are unsigned and come from a source IP address that isn't allowed in the access policy:
"User: anonymous is not authorized"
Requests also return this error when there is an error in the syntax of the access policy.
Client that doesn't support request signing
If you are using a client that doesn't support request signing (such as a browser), then consider the following:
- Use an IP-based access policy. IP-based policies allow unsigned requests to an OpenSearch Service domain.
- Be sure that the IP addresses specified in the access policy use CIDR notation. Access policies use CIDR notation when checking IP address against the access policy.
- Verify that the IP addresses specified in the access policy are the same ones used to access your cluster. You can get the public IP address of your local computer at https://checkip.amazonaws.com/.
Note: If you receive an authorization error, then check to see whether you're using a public or private IP address. IP-based access policies can't be applied to OpenSearch Service domains that reside within a virtual private cloud (VPC). This is because security groups already enforce IP-based access policies. If you use public access, then IP-based policies are still available. For more information, see About access policies on VPC domains.
Client that supports request signing
If you're using a client that supports request signing, then check the following:
- Be sure that your requests are correctly signed. AWS uses the Signature Version 4 signing process to add authentication information to AWS requests. Requests from clients that aren't compatible with Signature Version 4 are rejected with a "User: anonymous is not authorized" error. For examples of correctly signed requests to OpenSearch Service, see Making and signing OpenSearch Service requests.
- Verify that the correct Amazon Resource Name (ARN) is specified in the access policy.
If your OpenSearch Service domain resides within a VPC, then configure an open access policy with or without a proxy server. Then, use security groups to control access. For more information, see About access policies on VPC domains.
OpenSearch Dashboards endpoints
If you can't access OpenSearch Dashboards, then note the following:
- The OpenSearch Dashboards endpoint doesn't support signed requests.
- If your access control policy allows certain AWS Identity Access Management (IAM) users or roles domain access, then configure your Amazon Cognito authentication for OpenSearch Dashboards. Otherwise, the IAM role or user receives an error when accessing the OpenSearch Dashboards domain.
- If your Amazon OpenSearch Service domain uses VPC access, then your request can time out.
For more information about accessing OpenSearch Service from OpenSearch Dashboards, see Controlling access to OpenSearch Dashboards.