2

AWS Elasticsearch fine grained access control uses Open Distro Elasticsearch security. Using this feature authorization can be handled inside the Elasticsearch. https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#create-roles

AWS Documentation suggests to use the Open Distro Elasticsearch documentation, to use security Rest APIs, such as creating role or reading role.

You can create new roles for fine-grained access control using Kibana or the _opendistro/_security operation in the REST API. For more information, see the Open Distro for Elasticsearch documentation. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html

There are roles inside Elasticsearch using which we can control the authorization permissions of IAM user/role. This is done using Role mapping by adding IAM user into Users list or IAM role into backend role.

I added my IAM role into Elasticsearch backend role and I am able to execute below APIs,

PUT /my_index
PUT /_template/template_for_my_index

But when I execute below API, I am getting below response.

PATCH /_opendistro/_security/api/rolesmapping/my_role_inside_elasticsearch
{'statusCode': 200, 'headers': {'Access-Control-Allow-Origin': '*'}, 'isBase64Encoded': False, 'body': '{"status":"FORBIDDEN","message":"No permission to access REST API: User arn:aws:iam::123456789:role/myIamRole with Open Distro Security Roles [all_access] does not have any role privileged for admin access. No ssl info found in request."}'}

I tried adding IAM role into Elasticsearch all_access and also into my own Elasticsearch role which has * permissions(all permissions).

How to grant access to IAM Role/User to create role inside AWS Elasticsearch?

Note: IAM Roles and Elasticsearch Roles are different.

karthikeayan
  • 4,291
  • 7
  • 37
  • 75

1 Answers1

1

To grant permission to an IAM user/role to access opendsitro apis, you have to give the IAM entity permissions similar to master user. You have two options to do so:

  1. Either make that IAM entity the new master user via aws opensearch cli/console.
  2. Map the IAM user/role to all_access as well as security_manager thereby adding it as an additional master user.

Note: For IAM user, the arn needs to be added under users, whereas for IAM role, the arn needs to be added under backend_roles in the role mapping section.

More details: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters

Can you clarify if you were able to successfully map the IAM user/role to all_access? Your question is not clear on that.

Dhiresh Jain
  • 464
  • 5
  • 15
  • 1
    Does the IAM role of the compute service (such as EC2 or Lambda) need to be made a master user (both `all_access` and `security_manager`) before it can do *anything* with the API, such as put new index? Is there a way to narrow the scope of its permissions (because it seems like master user means full admin access to the domain)? – Yann Stoneman Feb 11 '22 at 18:38
  • 2
    Creating new index is via different api and not through any of the security apis. So no, to create new index you don't need to be a master user – Dhiresh Jain Feb 12 '22 at 09:03