Reputation: 51
AWS Elasticsearch IAM question to access Kibana via Browser
I've set up my elasticsearch yml file (deployed via Serverless) as follows:
Resources:
CRMSearch:
Type: "AWS::Elasticsearch::Domain"
Properties:
ElasticsearchVersion: "7.10"
DomainName: "crm-searchdb-${self:custom.stage}"
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
InstanceCount: "1"
ZoneAwarenessEnabled: false
InstanceType: "t3.medium.elasticsearch"
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 10
VolumeType: "gp2"
AccessPolicies:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS: [
"arn:aws:iam::#{AWS::AccountId}:role/crm-databases-dev-us-east-1-lambdaRole",
'#{AWS::AccountId}',
'arn:aws:iam::#{AWS::AccountId}:user/nicholas',
'arn:aws:iam::#{AWS::AccountId}:user/daniel'
]
Action: "es:*"
Resource: "arn:aws:es:us-east-1:#{AWS::AccountId}:domain/crm-searchdb-${self:custom.stage}"
- Effect: "Allow"
Principal:
AWS: [
"*"
]
Action: "es:*"
Resource: "arn:aws:es:us-east-1:#{AWS::AccountId}:domain/crm-searchdb-${self:custom.stage}"
AdvancedOptions:
rest.action.multi.allow_explicit_index: 'true'
AdvancedSecurityOptions:
Enabled: true
InternalUserDatabaseEnabled: true
MasterUserOptions:
MasterUserName: admin
MasterUserPassword: fD343sfdf!3rf
EncryptionAtRestOptions:
Enabled: true
NodeToNodeEncryptionOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
I'm just trying to get access to Kibana via browser. I set up open permission Kibana a few months ago at a previous company, but can't seem to access Kibana via browser no matter what I do. I always get the {"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"} error. How do I setup permissions (ideally via yml) to accomplish this?
Upvotes: 0
Views: 355
Answers (1)
Reputation: 2708
User: anonymous is not authorized to perform: es:ESHttpGet
The breakdown of what results in this message is:
- Your browser fetches Kibana assets / scripts
- Kibana client-side code running on your browser makes a GET request to your ElasticsearchService domain.
- Your browser is not a permitted principal and is denied access. The anonymous user from the message is your browser
This is explained in the AWS ElasticsearchService documentation:
Because Kibana is a JavaScript application, requests originate from the user's IP address.
In terms of your next step, the answers to the following question cover the two options you have:
How to access Kibana from Amazon elasticsearch service?
- (Yaml solution, overall NOT advisable for several reasons) Add an extra statement to your access policy to allow actions from your device's IP address(es)
- (Non-Yaml solution) Set up a proxy that will handle the requests from your browser and basically pass them on after signing them with the credentials of a trusted principal. This can either be a proxy running on additional AWS infrastructure or something running on your local machine. Again, the answers on the linked question go into more details.
Upvotes: 1
Related Questions
- Accessing Kibana of AWS ElasticSearch by Gateway using AWS IAM
- Can't access Kibana in browser (ELK 8.2)
- How to connect to AWS Elasticsearch from EC2 using IAM?
- How to access kibana from browser?
- Amazon Elasticsearch - Not able to access Kibana
- How to manually setup AWS ElasticSearch and use kibana through browser?
- How to setup an own Kibana client over aws ES service
- Connecting to Elasticsearch - Amazon Elasticsearch service - IAM user
- How to access Kibana from Amazon elasticsearch service?
- Amazon AWS elasticsearch Kibana access from browser