Access AWS Elasticsearch from AWS Beanstalk

Question

I have an Elasticsearch Service instance on AWS and an Elastic Beanstalk one.

I want to give read-only access to beanstalk however beanstalk doesn't have a static ip address be default and with a bit of googling it is too much trouble to add one.

I therefore gave access to the aws account but that doesnt seem to work. I am still getting the error:

"User: anonymous is not authorized to perform: es:ESHttpPost

When I set it to public access everything works so I am certain I am doing something wrong here:

{
 "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxx:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx-elastic-search/*"
    }
  ]
}

score 0 · Answer 1 · answered Nov 17 '18 at 15:13

0

Use identity-based policy such as this instead of IP whitelists.

{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Resource": "arn:aws:es:us-west-2:111111111111:domain/recipes1/*",
   "Action": ["es:*"],
   "Effect": "Allow"
  }
 ]
}

Then attach it to the Elastic Beanstalk role. Read more here

https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/

answered Nov 17 '18 at 15:13

Sid Malani

2,078
1
13
13

I created a policy from IAM>Policies with the json you suggested, attached aws-elasticbeanstalk-ec2-role and aws-elasticbeanstalk-service-role but nothing changed.. – Nov 17 '18 at 16:40
could you paste your policy here (hiding confidential stuff) ? Do you see any error logs? – Sid Malani Nov 18 '18 at 01:17

Access AWS Elasticsearch from AWS Beanstalk

1 Answers1