How to connect to AWS Elasticsearch from EC2 using IAM?

Question

I am trying to connect my EC2 instance to my ES domain and keep getting the following error:

AuthorizationException(403, 'security_exception', 'no permissions for [indices:data/read/search] and User [name=arn:aws:iam::ACCOUNT_ID:role/my-role, backend_roles=[arn:aws:iam::ACCOUNT_ID:role/my-role], requestedTenant=null]')

Elasticsearch configuration:

public domain fine-grained access control via IAM access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:role/my-role"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:REGION:ACCOUNT_ID:domain/test/*"
    }
  ]
}

EC2 Configuration:

using IAM role my-role with permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "es:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

All HTTP requests sent from EC2 to ES are being signed. I have already verified signing works: if I use the security credentials of the IAM user that I also set as the IAM ARN master user when setting up my ES domain the requests between EC2 and ES work as expected.

score 1 · Answer 1 · answered May 22 '21 at 11:10

1

The issue might be with fine-grained access control in ES. Same issue is mentioned here

answered May 22 '21 at 11:10

Jyothish

1,031
1
9
19

thanks, i created a new domain with fine grained access disabled and everything is working as expected – user1040535 May 22 '21 at 16:18

score 0 · Answer 2 · answered May 23 '21 at 01:47

If you want to connect to same ES cluster with FGAC from EC2 instance then you need to map EC2 IAM role with backend kibana roles. First you need to login to kibana with master user and then follow steps from doc to map EC2 IAM role to kibana 'all_access' role

How to connect to AWS Elasticsearch from EC2 using IAM?

2 Answers2