I get a "User: anonymous is not authorized" error when I try to access my Amazon OpenSearch Service cluster

Last updated: 2021-09-23

When I try to access my Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) domain or OpenSearch Dashboards, I receive an error. How do I resolve this?

Short description

You receive the following error when requests are unsigned and come from a source IP address that isn't allowed in the access policy:

"User: anonymous is not authorized"

Requests also return this error when there is an error in the syntax of the access policy.

Resolution

Client that doesn't support request signing

If you are using a client that doesn't support request signing (such as a browser), then consider the following:

  • Use an IP-based access policy. IP-based policies allow unsigned requests to an OpenSearch Service domain.
  • Be sure that the IP addresses specified in the access policy use CIDR notation. Access policies use CIDR notation when checking IP address against the access policy.
  • Verify that the IP addresses specified in the access policy are the same ones used to access your cluster. You can get the public IP address of your local computer at https://checkip.amazonaws.com/.

Note: If you receive an authorization error, then check to see whether you're using a public or private IP address. IP-based access policies can't be applied to OpenSearch Service domains that reside within a virtual private cloud (VPC). This is because security groups already enforce IP-based access policies. If you use public access, then IP-based policies are still available. For more information, see About access policies on VPC domains.

Client that supports request signing

If you're using a client that supports request signing, then check the following:

If your OpenSearch Service domain resides within a VPC, then configure an open access policy with or without a proxy server. Then, use security groups to control access. For more information, see About access policies on VPC domains.

OpenSearch Dashboards endpoints

If you can't access OpenSearch Dashboards, then note the following:

For more information about accessing OpenSearch Service from OpenSearch Dashboards, see Controlling access to OpenSearch Dashboards.