1

I have a simple code which makes a query to the Elastic Search cluster in a different aws account. Here is the code

def get_es_client():
    sts_connection = boto3.client('sts')
    es_gamma_act = sts_connection.assume_role(
        RoleArn="arn:aws:iam::<HIDDEN>:role/SIP_Metrics_Cross_Account_Access",
        RoleSessionName="cross_acct_lambda"
    )

    access_key = es_gamma_act['Credentials']['AccessKeyId']
    secret_key = es_gamma_act['Credentials']['SecretAccessKey']
    session_token = es_gamma_act['Credentials']['SessionToken']

    aws_auth = AWS4Auth(access_key, secret_key, region, "es", session_token=session_token)
    return Elasticsearch(
        hosts=[{'host': es_host, 'port': 443}],
        http_auth=aws_auth,
        use_ssl=True,
        verify_certs=True,
        connection_class=RequestsHttpConnection,
        timeout=120
    )


def datetime_to_millis(date):
    return int(date.timestamp() * 1000)


def get_summary_count(es_client, start_date, end_date, summary_type=None, workflow=None):
    query = {
        "query": {
            "bool": {
                "filter": [
                    {"term": {"locale.keyword": "en-US"}},
                    {
                        "range": {
                            "indexedAt": {
                                "gte": datetime_to_millis(start_date),
                                "lt": datetime_to_millis(end_date)
                            }
                        }
                    }
                ]
            }
        }
    }

    print(json.dumps(query))

    count = es_client.count(query, "summary-news-index")
    return count['count']


def get_es_data():
    es_client = get_es_client()

    start_date = datetime(2021, 7, 1)
    end_date = datetime(2021, 7, 3)

    count = get_summary_count(es_client, start_date, end_date)
    print(count)


if __name__ == "__main__":
    get_es_data()

I get the following error when I run this

elasticsearch.exceptions.AuthorizationException: AuthorizationException(403, '{"Message":"User: arn:aws:sts::<HIDDEN>:assumed-role/SIP_Metrics_Cross_Account_Access/cross_acct_lambda is not authorized to perform: es:ESHttpPost"}')

I am using STS to assume role in the target account (same account as ES) which has permission to do ESHttpPost . It seems like I am able to assume the role correctly but even though I have ESHttpPost permissions, I am still getting this error. This happens when I run this code from a lambda function as well.

Can you please advise if I am missing something here? Appreciate your response

P.S As requested, The IAM policy attached to the assumed role arn:aws:iam:::role/SIP_Metrics_Cross_Account_Access

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "es:*",
            "Resource": "*"
        }
    ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Rahul Patwa
  • 117
  • 1
  • 12
  • Can we see the IAM policy that is attached to the assumed role? – Jordan Jul 28 '21 at 21:45
  • Edited the question with the IAM policy attached to the role – Rahul Patwa Jul 28 '21 at 22:53
  • In your edit, you show a policy named `SIP_Metrics_Cross_Account_Access`, but the error message is showing a policy named `SIP_Metrics_Cross_Account_Access/cross_acct_lambda`. Is there an error here? – Jordan Jul 29 '21 at 16:46

0 Answers0