How to connect to AWS Elasticsearch from EC2 using IAM?

Question

I am trying to connect my EC2 instance to my ES domain and keep getting the following error:

AuthorizationException(403, 'security_exception', 'no permissions for [indices:data/read/search] and User [name=arn:aws:iam::ACCOUNT_ID:role/my-role, backend_roles=[arn:aws:iam::ACCOUNT_ID:role/my-role], requestedTenant=null]')

Elasticsearch configuration:

public domain fine-grained access control via IAM access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:role/my-role"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:REGION:ACCOUNT_ID:domain/test/*"
    }
  ]
}

EC2 Configuration:

using IAM role my-role with permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "es:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

All HTTP requests sent from EC2 to ES are being signed. I have already verified signing works: if I use the security credentials of the IAM user that I also set as the IAM ARN master user when setting up my ES domain the requests between EC2 and ES work as expected.

Answer 1

If you want to connect to same ES cluster with FGAC from EC2 instance then you need to map EC2 IAM role with backend kibana roles. First you need to login to kibana with master user and then follow steps from doc to map EC2 IAM role to kibana 'all_access' role

Answer 2

The issue might be with fine-grained access control in ES. Same issue is mentioned here