Give access Lambda to Opensearch [IAM & Configure domain level access policy]

Question

I need your help with right policy. I am using ACloud Guru AWS Sandbox and i am trying to use elasticsearch lib for python code run on lambda. But for Opensearch only "configure domain level access policy" is possible to use. I opened access for my home IP by policy:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:yyyyyyyyyyy:domain/test-es-1/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "xx.xx.xxx.xx/32"
        }
      }
    }
  ]
}

It works fine for me, now I am trying to run some simple code on Lambda and got an error

"errorMessage": "AuthorizationException(403, '{"Message":"User: anonymous is not authorized to perform: es:ESHttpPut"}')","errorType": "AuthorizationException",

I decided to open region us-east-1 and add section:

{
  "Effect": "Allow",
  "Action": "es:*",
  "Principal": {
    "AWS": "*"
  },
  "Resource": "arn:aws:es:us-east-1:yyyyyyyyyyy:domain/test-es-1/*",
  "Condition": {
      "StringEquals": {
          "aws:RequestedRegion": "us-east-1"
      }
  }
}

But I can't save policy, i've got an error:

UpdateDomainConfig: {"message":"Apply a restrictive access policy to your domain"}

Maybe I am in wrong direction and someone could help me solve issue or push me in right direction.

Thank you in advance, BR Aleksei.

Answer 1

Pulled from Deployment of servless app fails - Enable fine-grained access control or apply a restrictive access policy to your domain it seems AWS is deeming your method too public. Please check the alternative methods listed in this previous post/answer. If you'd like to know how to make a certain method work for your use case please let me know and we can dig more into it!