AWS provide proxy for Elasticsearch VPC domain

Question

We created a VPC Elasticsearch domain.

We would like to be able to access the logs (kibana) from the Internet. I found this question: AWS Elasticsearch VPC connectivity

The answer suggests an nginx proxy facing the Internet and sitting on the VPC subnet. I got that working. But the response from the ES backend is that the user does not have the rights.

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}

Looks like I have to create the right policy. But I am stuck there.

I have created a role. But how to assign the role to the user, or even to the proxy so it is able to access the ES VPC endpoint?

Answer 1

I finally got something well working for us following @jordanm 's cue using aws-es-proxy.

I initially just installed aws-es-proxy on my local machine. I obviously had not understood how it works. Needless to say, it was timing out - essentially it was like I was accessing the VPC Endpoint from the Internet.

I then realized I had to install the proxy on a machine with access to the cluster (VPC / Subnet).

And finally I realized that I now needed an ssh tunnel to that machine in order to access it from localhost:9200.

Of course this is not what I myself was asking in the question - which I asked because I was freakin and did not understand all this AWS/VPC/ES stuff. I thought that if I'd create a public Internet proxy it would be easier.

Now I learnt quite a big deal and actually...access everything via a local tunnel is much safer.