AWS Lambda to proxy ElasticSearch Service using C#

Question

I am trying to create an AWS lamda using c# to access AWS ElasticSerch service. I have created a role that my lambda function is configured to use which has access to ElasticSeach. But the permission doesn't seem to be working.

Here is my setup:

I have created an access policy with Read and Write access to ES service.
Created a role and assigned above policy
I have granted permissions to this role, to my ES cluster.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXXXX:role/lambda-es-role"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-west-2:XXXXXXXXXXXXXx:domain/es-test-es/*"
    }
  ]
}

I have a simple code in lambda to see if I can connect to it.

public async Task<string> FunctionHandler()
    {

        HttpClient client = new HttpClient();
        var response = await client.GetStringAsync("https://XXXXX.us-west-2.es.amazonaws.com/firstindex");

        return response;
    }

This gives me 403 Forbidden error. I even tried setting trust relationship with es.amazonaws.com for the role. That also did not work.

If I make the ES cluster public, I can see the response.

Will this method work with Lambda? Am I missing some permissions?

I think you need to sign your request using Signature Version 4. See https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/ — ben5556, Nov 20 '18 at 22:36
got it. I was able to get it working with signing the request. Thank you — user1868744, Nov 29 '18 at 21:53

score 0 · Accepted Answer · answered Nov 29 '18 at 22:17

0

I think you need to sign your request using Signature Version 4. See this

answered Nov 29 '18 at 22:17

ben5556

2,915
2
11
16

AWS Lambda to proxy ElasticSearch Service using C#

1 Answers1