Reputation: 25628
Unable to update ElasticSearch access policy using CLI
I have an access policy that looks something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:123456789012:domain/es01-vpc01-prod-useast1/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"123.456.123.456"
]
}
}
}
]
}
From my understanding, this should give all es related permissions to anyone at the IP 123.456.123.456. This indeed works for most things: I can access ElasticSearch, and I can also execute CLI commands such as aws es describe-elasticsearch-domain --domain-name es01-vpc01-prod-useast1
However, for some reason I cannot modify the access policy from the CLI using a command like this:
aws es update-elasticsearch-domain-config --domain-name es01-vpc01-prod-useast1 --access-policies '{\"Version\": \"2012-10-17\",\"Statement\": [{\"Effect\": \"Allow\",\"Principal\": {\"AWS\": \"*\"},\"Action\": \"es:*\",\"Resource\": \"arn:aws:es:us-east-1:123456789012:domain/es01-vpc01-prod-useast1/*\",\"Condition\": {\"IpAddress\": {\"aws:SourceIp\": [\"123.456.123.456\"]}}}]}'
I receive an error such as:
An error occurred (AccessDeniedException) when calling the UpdateElasticsearchDomainConfig operation: User: arn:aws:iam::123456789012:user/MyUser is not authorized to perform: es:UpdateElasticsearchDomainConfig on resource: arn:aws:es:us-east-1:123456789012:domain/es01-vpc01-prod-useast1
I have tried variations on the access policy, such as adding the specific role to the access policy, e.g.
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/MyRole"
},
"Action": [
"es:UpdateElasticsearchDomainConfig"
],
"Resource": "arn:aws:es:us-east-1:123456789012:domain/es01-vpc01-prod-useast1"
}
But still no success. What is the trick to make this work?
Upvotes: 1
Views: 1916
Answers (1)
Reputation: 21
I know this is an old topic, but in case anyone else has the same issue.
Note that IP address whitelisting for ES only works if the ES domain is outside the VPC.
The following command works for me, the main thing is that you don't need to escape the double quotes if you are surrounding the JSON in single quotes.
Change 'my-domain', the account ID of '1234567890' and the IP address of '127.0.0.1' to your own and it should work for you.
aws es update-elasticsearch-domain-config --domain-name my-domain --access-policies '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:1234567890:domain/my-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "127.0.0.1"
}
}
}
]
}'
Upvotes: 1
Related Questions
- How to update an Amazon S3 Bucket Policy via the AWS CLI?
- Updating AWS Elasticsearch cluster settings
- AWS kibana/ES trying to create policy but getting "authorization exception"
- Attach Policy to AWS Elasticsearch
- error when trying to update the settings
- How to update AWS elasticsearch cluster setting via its rest API?
- elasticsearch cloud - access config/elasticsearch.yml file
- Elasticsearch issue: not working in command line
- Error Updating AWS Elasticsearch Settings Via Command Line
- Unable to update mapping in elastic search