Why did I get a "User: anonymous is not authorized" error when I tried to access my OpenSearch Service cluster?

3 minute read
0

I tried to access my Amazon OpenSearch Service domain or OpenSearch Dashboards and got a "User: anonymous is not authorized" error.

Short description

You get the following error when requests are unsigned and come from a source IP address that isn't allowed in the access policy:

"User: anonymous is not authorized"

Resolution

Client that doesn't support request signing

If you are using a client that doesn't support request signing (such as a browser), then consider the following:

  • Use an IP-based access policy. IP-based policies allow unsigned requests to an OpenSearch Service domain.
  • Be sure that the IP addresses specified in the access policy use CIDR notation. Access policies use CIDR notation when checking the IP address against the access policy.
  • Verify that the IP addresses specified in the access policy are the same ones used to access your cluster. Check the public IP address of your local computer at https://checkip.amazonaws.com/.

Note: If you receive an authorization error, then check to see if you're using a public or private IP address. IP-based access policies can't be applied to OpenSearch Service domains that reside within a virtual private cloud (VPC). This is because security groups already enforce IP-based access policies. If you use public access, then IP-based policies are still available. For more information, see About access policies on VPC domains.

Client that supports request signing

If you're using a client that supports request signing, then check the following:

If your OpenSearch Service domain resides within a VPC, then configure an open access policy with or without a proxy server. Then, use security groups to control access. For more information, see About access policies on VPC domains.

OpenSearch Dashboards endpoints

If you can't access OpenSearch Dashboards, then note the following:

For more information about accessing OpenSearch Service from OpenSearch Dashboards, see Controlling access to OpenSearch Dashboards.

Related information

Configuring Amazon Cognito authentication for OpenSearch Dashboards

Troubleshooting Amazon OpenSearch Service

Controlling access to OpenSearch Dashboards

AWS OFFICIAL
AWS OFFICIALUpdated a year ago