How do I troubleshoot fine-grained access control errors in my Amazon Elasticsearch cluster?

Last updated: 2021-03-05

I am experiencing access control errors in my Amazon Elasticsearch (Amazon ES) cluster. How can I troubleshoot and resolve access control errors?

Short description

You might experience one of the following fine-grained access control errors in your Amazon ES cluster:

  • "security_exception","reason":"no permissions" 403 errors
  • "User: anonymous is not authorized to perform: iam:PassRole"
  • "Couldn’t find any Elasticsearch data"
  • 401 unauthorized errors

In addition to troubleshooting these errors, this article shows you how to complete the following tasks using Amazon ES:

  • Integrate other AWS services with Amazon ES when field-grained access control is enabled
  • Allow anonymous access using fine-grained access control
  • Provide fine grained access to specific indices, dashboards, and visualizations based on user tenancy
  • Use fine-grained access control at a field level

Resolution

"security_exception","reason":"no permissions" 403 errors

To resolve this error, first check if the user or backend role in your Amazon ES cluster has the required permissions. Then, map the user or backend role to a role.

"User: anonymous is not authorized to perform: iam:PassRole"

You might receive this error when you try to register a manual snapshot. As well as the normal permissions required for the Amazon Identity and Access Management (IAM) role that you used to register the manual snapshot, you must map the manage_snapshots role to the IAM role. Then, use that IAM role to send a signed request to the domain.

"Couldn’t find any Elasticsearch data"

You might receive this error when you try to create index patterns after upgrading to Amazon ES 7.9. In Amazon ES 7.9, you must use the /_resolve API to add "indices:admin/resolve/index" to all of the indices and aliases when you create a new index-patter in the fine-grain access control cluster. Because this permission is missing, Amazon ES throws a 403 error status code. This is in turn mapped to a 500 error status code from Kibana. As a result, the indices are not listed.

401 unauthorized errors

You might receive a 401 unauthorized error when you use the "$" or "!" characters in primary credentials with curl -u “user:password” <ES-ENDPOINT>. Be sure to put your credentials in single quotes, as in the following example:

curl -u 'user:password' <ES-ENDPOINT>

Integrate other AWS services with Amazon ES when field-grained access control is enabled

To integrate another AWS service with Amazon ES when field-grained access control is enabled, you must give the IAM roles for those services the appropriate permissions. For more information, see the following documentation on using Integrations with fine-grained access control.

Allow anonymous access using fine-grained access control

Because of the managed nature of Amazon ES, anonymous access is not currently supported.

Provide fine-grained access to specific indices, dashboards, and visualizations based on user tenancy

To provide fine grained access to specific indices, dashboards or visualizations, you must map the user to a role that has permissions to the Kibana index of the tenant:

.kibana_<hash>_<tenant_name>

For more information, see Manage Kibana indices.

Use fine-grained access control at a field level

To use fine-grained access control at field level, set up a role with the required field level security. Then, map the user to the role you created.


Did this article help?


Do you need billing or technical support?