Reputation: 9266
How to grant Lambda access to ElasticSearch in AWS?
I am successfully accessing the AWS ElasticSearch service with my local AWS credentials. However when trying from lambda, I get the following:
User: arn:aws:sts::XXXXXXXXXX:assumed-role/dudeman-workouts-dev-graphqlLambdaServiceRoleXXXXXX-XXXXXXXXX/dudeman-workouts-dev-graphqlLambdaXXXXXXXX-XXXXXXXXXX is not authorized to perform: es:ESHttpPost
This has me confused since the role that the lambda assumes has the following inline policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:XXXXXXXXXXXX:domain/general-elasticsearch",
"Effect": "Allow"
}
]
}
Here's the policy on the cluster itself:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXX:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:XXXXXXXXXXX:domain/general-elasticsearch/*"
}
]
}
The policy simulator says all is good:
Upvotes: 0
Views: 975
Answers (1)
Reputation: 4486
Add /* to the end of the resource in the IAM policy.
IIRC, Elasticsearch policies behave similarly to S3 policies: if you omit the trailing /* you can only invoke requests that affect the cluster as a whole. The various HTTP requests, however, affect things like https://cluster/index.
Upvotes: 4
Related Questions
- AWS IAM Lambda "is not authorized to perform: lambda:GetFunction"
- Unable to connect AWS Lambda to Elastic Search. Getting a 403 error
- Grant Lambda access to private S3 bucket
- AWS CDK apply path to lambda role created
- AWS CDK Grant Lambda DynamoDB FullAccess
- Add permission to Lambda in command line
- Permissions to access ElasticSearch from Lambda?
- Lambda call fails with no permission error
- Elastic Search 403 error
- Use AWS Role to authorize Lambda querying AWS datastore