0

I'm studying about ELK Stack and AWS Gateway.

I created AWS ElasticSearch and set this access policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[AWS account ID]:root" }, "Action": "es:*", "Resource": "arn:aws:es:sa-east-1:[AWS account ID]:domain/camarar-elk/*" } ] }

PS: I try to use with this policy too: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[AWS account ID]:user/[User]" }, "Action": "es:*", "Resource": "arn:aws:es:sa-east-1:[AWS account ID]:domain/camarar-elk/*" } ] }

After, I created an AWS API Gateway using http proxy and GET method to route all request to Kibana url. And in this Gateway I using one AWS IAM to access Kibana.

Finally, I created an user of AWS IAM with this policy "AmazonESFullAccess".

All the time I received the same error:{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: camarar-elk"}

Anybody could you please help me to resolve this problem?

Camarar
  • 11
  • 4

2 Answers2

1

I'm already using a policy with this action("Action": "es:*") because I wrote wrong in my question.

My actual policy in Elasticsearch:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::[AWS account ID]:root" }, "Action": "es:*", "Resource": "arn:aws:es:sa-east-1:[AWS account ID]:domain/camarar-elk/*" } ] }

Camarar
  • 11
  • 4
0

"Action": "es:",

I believe this is your problem. You'll have to either specify an action like es:ESHttpGet or allow all actions with es:*

jackko
  • 6,998
  • 26
  • 38