9

Following this article to set up Cognito auth for AWS Elasticsearch.

https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/

Getting an error:

Open Distro for Elasticsearch

Missing Role

No roles available for this user, please contact your system administrator.

Anybody knows why I could get itenter image description here?

user10687568
  • 115
  • 1
  • 5

2 Answers2

14

The crucial missing part was the below:

  • navigate to the Elastisearch domain on your AWS Elasticsearch console page
  • After this, click on the “Actions” button -> “Modify master user"
  • Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
  • click Submit
thebighadron
  • 145
  • 1
  • 4
  • Thank you so much for this! It took forever to get here. I followed your instructions to add arn:aws:iam::xxxxxxxxxxxx:role/service-role/CognitoAccessForAmazonES and voila! It worked! – Harish Prasanna Oct 27 '20 at 06:52
  • Thanks! This worked for me, as well. In my case, I had to add the limited role I created in this case - i.e.: `arn:aws:iam::##########10:role/IAMLimitedUserRole`. This wasn't very intuitive in the AWS docs I followed. – h-bomb Oct 28 '20 at 19:37
  • @h-bomb you mean you had to add both IAMLimitedUserRole and IAMMasterUserRole? – dp119 Nov 04 '20 at 03:22
  • Yes, @dp119. But I only had an issue with the limited role because I didn’t realize I had to go back and add the limited role in the field and submit. After further research, though, I discovered that instead of doing this last step, I could have just logged in to Kibana and add the limited role and map it to the AWS role ARN as a backend role. – h-bomb Nov 04 '20 at 08:31
12

If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.

Alternatively you can configure the master user role same as Cognito Authenticated role ARN.

stackOp
  • 731
  • 7
  • 7
  • 1
    AWS is such a nightmare for beginners. If they didn't give me a credit for my startup Id never use it! – Leon Aug 15 '21 at 18:16
  • I've missed the "must match" part. Thanks for pointing that out. Here you still helping with your comment after 3 years :) – Mert Alnuaimi Feb 28 '23 at 10:13