Reputation: 377
AWS Opensearch serverless 403 Forbidden when calling inside an ECS task with java OpensearchClient
I have set up a serverless collection. From my local environment I can put and search the index with java OpensearchClient
this.client = new OpenSearchClient(
new AwsSdk2Transport(
httpClient,
collection, // serverless collection endpoint
"aoss", // signing service name
Region.US_WEST_2, // signing service region
AwsSdk2TransportOptions.builder().build()));
When calling from my local, where AWS credentials are stored in .aws or setting an user accesy key an secret in the application properties, everything works.
But, when I try to run it in an ECS task, I get an 403 forbidden. I have set the data access control in aws open search.
[
{
"Rules": [
{
"Resource": [
"collection/demo-test"
],
"Permission": [
"aoss:CreateCollectionItems",
"aoss:DeleteCollectionItems",
"aoss:UpdateCollectionItems",
"aoss:DescribeCollectionItems"
],
"ResourceType": "collection"
},
{
"Resource": [
"index/demo-test/demo",
"index/demo-test/develop"
],
"Permission": [
"aoss:CreateIndex",
"aoss:DeleteIndex",
"aoss:UpdateIndex",
"aoss:DescribeIndex",
"aoss:ReadDocument",
"aoss:WriteDocument"
],
"ResourceType": "index"
}
],
"Principal": [
"arn:aws:iam::924347859631:user/someuser",
"arn:aws:iam::924347859631:role/develop-ecs-task-role"
],
"Description": "Easy data policy"
}
]
When I use the someusers credentials works, but runing inside an ECS task with the proper IAM role a 403 is all I get.
Update: Seems that the role or user that is pressent in the data access control must have some permissions on IAM. Still looking into it to pinpoin the requiere IAM permissions.
Upvotes: 0
Views: 27
Answers (1)
Reputation: 377
Shame on me for not reading carefully.
Being granted permissions within a data access policy is not sufficient to access data in your OpenSearch Serverless collection. An associated principal must also be granted access to the IAM permissions aoss:APIAccessAll and aoss:DashboardsAccessAll. Both permissions grant full access to collection resources, while the Dashboards permission also provides access to OpenSearch Dashboards. If a principal doesn't have both of these IAM permissions, they will receive 403 errors when attempting to send requests to the collection.
ECS task execution role must have this permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "aoss:APIAccessAll",
"Resource": "your resource"
}
]
}
Upvotes: 0
Related Questions
- How to connect AWS OpenSearch Serverless to Lambda to inject data?
- Hibernate Search AWS OpenSearch Serverless connection problem
- Access to the resource https://sqs.us-east-1.amazonaws.com/xxxxxx is denied while running task in AWS ECS cluster
- AWS ECS Fargate not creating task AmazonECSTaskExecutionRole error
- AWSSecretsManager GetSecretValueRequest is not using the right IAM role during secret read
- AWS ECS Windows Scheduled Task running as System - AWS Credentials not found
- AWS ECS Task fails with: CannotPullContainerError
- How to use AWS ECS Task Role in Node AWS SDK code