AWS OpenSearch Service. Request failed: [security_exception] authentication/authorization failure

Question

I'm trying to use OpenSearch to connect to my OpenSearch domain on AWS. I set env for AWS. However, I'm encountering an authentication/authorization failure. Here's my code:

public class Example {

  public static void main(final String[] args) throws IOException {
    SdkHttpClient httpClient = ApacheHttpClient.builder().build();
    try {
      OpenSearchClient client =
          new OpenSearchClient(
              new AwsSdk2Transport(
                  httpClient,
                  "search-*****-3ovub4o4gncugluu6t2tquptnu.eu-central-1.es.amazonaws.com",
                  Region.EU_CENTRAL_1,
                  AwsSdk2TransportOptions.builder().build()));

      InfoResponse info = client.info();
      System.out.println(info.version().distribution() + ": " + info.version().number());
    } finally {
      httpClient.close();
    }
  }
}

When I run this code, I get the following exception:

Exception in thread "main" org.opensearch.client.opensearch._types.OpenSearchException: Request failed: [security_exception] authentication/authorization failureat org.opensearch.client.transport.aws.AwsSdk2Transport.parseResponse(AwsSdk2Transport.java:47)at org.opensearch.client.transport.aws.AwsSdk2Transport.executeSync(AwsSdk2Transport.java:393)at org.opensearch.client.transport.aws.AwsSdk2Transport.performRequest(AwsSdk2Transport.java:191)at org.opensearch.client.opensearch.OpenSearchClient.info(OpenSearchClient.java:790)at Example.main(Example.java:25)

I believe I have the correct permissions set up for my IAM user, and I'm using the correct access key and secret key. However, I still can't seem to resolve this issue. What am I missing or doing wrong? Any help or guidance would be appreciated.

this is my aws config pic_1 pic_2 pic_3

Answer 1

I've got a same error. There are a few things you can check:

1. Credentials: Make sure that the access key and secret key in your Java application are correct and match the credentials in your AWS profile.
2. Region: Make sure that your Java application is using the same region as your OpenSearch domain.
3. Permissions: Make sure that the IAM user/role associated with your credentials has the necessary permissions to interact with your OpenSearch domain.
4. Endpoint: Make sure that your Java application is using the correct endpoint URL which excludes https://.
5. Version: Make sure that your Java application implemented correct version of the OpenSearchClient for the version of OpenSearch you are using.

In my case, in fact, my infrastructure manager set OpenSearch to only allow ID/PW access. Therefore, it is recommended to check the OpenSearch security configuration, too.

Answer 2

You may have enabled Fine-grained access control with master user when you created your cluster. If that's the case, the request is not authorized when processed with IAM user (in the case you are running your code on your IAM user profile). You have two options:

1. Go to your Domain in console -> Security configuration -> Fine-grained access control and set IAM ARN as master user.

2. Update domain level access policy to allow your IAM user access. Resource to help on this point - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html