How to connect AWS OpenSearch Serverless to Lambda to inject data?

Question

I'm trying to do a PUT request to upload data to a collection I have created. However, I'm getting a '403' error; 'User does not have permissions for the requested resource'.

I believe I have granted full IAM access to the user but I'm still getting the same error.

Here is the IAM and function within my serverless file:

   iam:
    role:
        statements:
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

functions:
    lambdaFunction:
        handler: src/controllers/lambdaFunction.handler
        description: create a lambda 
        events:
            - http:
                  path: /lambda
                  method: post
                  cors: ${self:custom.cors-settings}
                  private: false
                  authorizer:
                      type: CUSTOM
                      authorizerId: ${self:provider.environment.authorizer_ref}
                      resultTtlInSeconds: 0
        memorySize: 256
        logRetentionInDays: 30
        iamRoleStatementsInherit: true
        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

Answer 1

The documentation unluckily is not one of the best, but first off you need to create a data access policy inside your Opensearch Serverless collection where you add a rule with:

• as Principal: your lambda role
• as grants/permissions: based on what the lambda should do with the collection

If you don't know your lambda role, you can just go to your lambda detail page and then navigate to 'Configuration > Permissions' and its sitting right on top of that page

After that you should give to the lambda role the access policy to perform the aoss:APIAccessAll action. Now I didn't find any 'pre-made' access policy so I created a new one with name OpensearchServerlessAPICaller with the following json policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aoss:BatchGetCollection",
                "aoss:APIAccessAll"
            ],
            "Resource": "*"
        }
    ]
}

With everything in place now your lambda can perform calls directly to your Opensearch Serverless collection. Remember to correctly authenticate the library's client you are using. I suggest using @opensearch-project/opensearch if you are using node, which would mean that you should create the client with:

import { AwsSigv4Signer } from '@opensearch-project/opensearch/aws';
import { Client } from '@opensearch-project/opensearch';
import { defaultProvider } from '@aws-sdk/credential-provider-node'

const client = new Client({
  node: "Your opensearch host",
  ...AwsSigv4Signer({
    region: 'eu-central-1',
    service: 'aoss',

    getCredentials: () => {
      const credentialsProvider = defaultProvider();
      return credentialsProvider();
    },
  }),
});

Sidenote: Keep in mind that if you opted to protect your opensearch collection within a VPC then you should place the lambda within the same VPC otherwise it's not going to reach the collection.