23

I have created AWS elasticsearch domain

https://search-xx-xx.us-east-1.es.amazonaws.com/

On click both elastic url and kibana below is the error i got

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}

enter image description here

Below is code which is working fine

import boto3
from requests_aws4auth import AWS4Auth
from elasticsearch import Elasticsearch, RequestsHttpConnection
session = boto3.session.Session()
credentials = session.get_credentials()

awsauth = AWS4Auth(credentials.access_key,
                   credentials.secret_key,
                   session.region_name, 'es',
                   session_token=credentials.token)
es = Elasticsearch(
    ['https://search-testelastic-2276kyz2u4l3basec63onfq73a.us-east-1.es.amazonaws.com'],
    http_auth=awsauth,
    use_ssl=True,
    verify_certs=True,
    connection_class=RequestsHttpConnection
)


def lambda_handler(event, context):
    es.cluster.health()
    es.indices.create(index='my-index', ignore=400)
    r = [{'Name': 'Dr. Christopher DeSimone', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Tajwar Aamir (Aamir)', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Bernard M. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Eliana M. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Joseph J. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Michael R. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Darryl H. Aarons', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. William B. Aarons', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Sirike T. Aasmaa', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Jacobo A. Abadi', 'Specialised and Location': 'Health'}]
    for e in enumerate(r):
         es.index(index="my-index", body=e[1])

Below is the access policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "*"
        }
      }
    }
  ]
}
danronmoon
  • 3,814
  • 5
  • 34
  • 56

2 Answers2

27

This error would indicate your ElasticSearch service does not support anonymous requests (those not signed with valid IAM credentials).

Although your policy sees ok the official allow all policy looks like the below

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*"
    }
  ]
}
Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • 1
    probably need to set the [session](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/core/session.html) variables as an alternative – lloyd Jul 05 '20 at 09:34
  • 1
    Thanks its working fine, where you got this Sir, in documentation i could not see –  Jul 05 '20 at 09:39
  • My kibana is taking too much time to load –  Jul 05 '20 at 09:42
  • Its from the console when you have the ability to generate, it has a predetermined option named "Allow open access to the domain" – Chris Williams Jul 05 '20 at 09:42
  • Do you also have a security group attached to the domain? It will need to allow inbound access :) – Chris Williams Jul 05 '20 at 09:43
  • No Chris, its dev-testing elastic searvice with t2 small, so no security policy –  Jul 05 '20 at 09:47
  • So to confirm its not in a VPC? – Chris Williams Jul 05 '20 at 09:49
  • 2
    Hmm does accessing it in any kind of incognito window help? – Chris Williams Jul 05 '20 at 09:54
  • still its loading only since 5 munutes and after that pop will come saying kibana not loaded properly `https://search-xx-xx.us-east-1.es.amazonaws.com/_plugin/kibana/app/kibana ` after 5 minutes its visibel now :) is there any way to make it faster –  Jul 05 '20 at 10:15
  • So Kibanas UI loads but it gives you that message? That sounds as if Kibana cannot talk to ElasticSearch :( – Chris Williams Jul 05 '20 at 10:20
  • @ChrisWilliams if I use this policy, I get the following problem: UpdateElasticsearchDomainConfig: {"message":"Apply a restrictive access policy to your domain"} Do you have a hint for me? Thanks – Schaumkuesschen Jun 28 '21 at 10:28
  • It’s indicating that the policy is too open @Schaumkuesschen. Is your ES a VPC based or Over internet based deployment? – Chris Williams Jul 01 '21 at 05:03
  • @ChrisWilliams its over internet based deployment. – Schaumkuesschen Jul 01 '21 at 06:05
  • As its over the internet the above policy would allow anyone to access it, if you take a look at the IP condition you can lock it down to an appropriate set of IPs. An example can be found in this link link: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-ac.html#es-ac-types-ip – Chris Williams Jul 01 '21 at 06:38
  • Adding this policy resolved the error for me while using fine-grained access on a single OpenSearch instance. – abk Nov 09 '22 at 01:46
2

Try to use AWS Signature authentication method at the Postman, for tests.

In postman, go to Authorization tab and under Type, select AWS Signature, get your AWS Access Key and Secret Key from Security Credentials > Create Access Key.

Add your region in postman and service name as es and then hit Send. It should work!

Kaushal28
  • 5,377
  • 5
  • 41
  • 72
Carlos Assis
  • 81
  • 1
  • 2
  • 5
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 09 '21 at 18:56