3

I get this error in CloudWatch logs of kinesis firehose

{
    "deliveryStreamARN": "arn:aws:firehose:us-west-2:917877325894:deliverystream/test_dynamodb",
    "destination": "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb2",
    "deliveryStreamVersionId": 1,
    "message": "Error received from Elasticsearch cluster. {\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role2, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role2], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role2, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role2], requestedTenant=null]\"},\"status\":403}",
    "errorCode": "ES.ServiceException"
}

I have added all different policies to the role attached to Firehose but still getting the same error.(btw the role was made by firehose itself but I tried also adding more policies with no different result)

I also have open access policy for the elasticsearch domain

Did anyone face the same thing before?

Data_sniffer
  • 588
  • 1
  • 8
  • 19
  • 1
    Did you use test stream run on firehose? I tried to replicate your issue earlier, with all the default roles, and had no issues using test stream on firehose. – Marcin Jun 12 '20 at 23:38
  • @Marcin I really appreciate you trying to help. Yes, I test it using the test stream on firehose. I guess I will try it from a different account then because I am using all default roles too but it's not working for me and it's really frustrating – Data_sniffer Jun 13 '20 at 02:24
  • @Marcin I even get this similar permissions error message when I go to the "indices" section in the elasticsearch itself. /_mapping: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/mappings/get] and User [name=arn:aws:iam::917877325894:user/ipath-dev-IAMStack-1QMTXUYFNEW09-IpathAdmin-1QTPXQV9Q51OK, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/mappings/get] and User [name=arn:aws:iam::917877325894:user/AMStack-1QMTXUYF, backend_roles=[], requestedTenant=null]"},"status":403} – Data_sniffer Jun 15 '20 at 18:22
  • Don't know. Maybe there are some other permissions in your account that deny this. Maybe your account is part of an AWS Org and there is SCP at org level to deny such operations? – Marcin Jun 15 '20 at 23:04

1 Answers1

0

I had the same problem, instructions for troubleshooting are here

https://aws.amazon.com/premiumsupport/knowledge-center/es-troubleshoot-cloudwatch-logs/

Go to Kibana and add your all_access mapping. Voila.

Mark Healey
  • 1