11

I can't access the indices tab of my ES domain in the AWS ElasticSearch console. Here is what it looks like in the console:

enter image description here

Even though I added my IAM ARN (arn:aws:iam::NNNNNNNNNNNNN:root) to the access policy of the console, I am still getting this error:

/_stats: {
    "error":{
      "root_cause":[
         {
            "type":"security_exception",
            "reason":"no permissions for [indices:monitor/stats] and User [name=arn:aws:iam::NNNNNNNNNNNNN:root, backend_roles=[], requestedTenant=null]"
         }
      ],
      "type":"security_exception",
      "reason":"no permissions for [indices:monitor/stats] and User [name=arn:aws:iam::NNNNNNNNNNNNN:root, backend_roles=[], requestedTenant=null]"
   },
   "status":403
}

Any idea what went wrong? The domain has access control with a master password as well.

Amit
  • 30,756
  • 6
  • 57
  • 88
kee
  • 10,969
  • 24
  • 107
  • 168

2 Answers2

14

It turns out my access policy setting itself was correct but if you have the master user account configured using the basic auth in your domain, the indices and the cluster health don't work. After I switched to ARN based master account, it worked.

kee
  • 10,969
  • 24
  • 107
  • 168
8

For Googlers:

As of 2020/01, Amazon ES employs a trick way to determine how fine-granularity authorization is done.

  • If your master user is an IAM user ARN, you implicitly opt in the IAM-way
  • If your master user is created as an ES user with its own username and password, you implicitly opt in the normal-way

The implications are:

  • IAM-way takes AWS token as a way to authorize requests
  • Normal-way takes HTTP authentication
  • If you choose normal-way then ES will not integrate with IAM nor will it map IAM user / roles to internal users even if they seemingly mapped in the Kibana UI
  • If you choose the IAM-way then you lose the ability to log in via Kibana default login page, it becomes non-functional
  • If you still want to use IAM-way plus the Kibana UI then you will need to integrate Cognito

This looks very confusing to users who see IAM users / roles mapped but only to find them unauthorized when accessing the domain.

As you can change master user (with down time) for ES domain, you can change it back and forth to avoid integrating with Cognito, but this is a pain.

This should be more clearly stated, or better emphasized in the official docs.

enter image description here

enter image description here

dz902
  • 4,782
  • 38
  • 41