AWS ElasticSearch ESHttpPost to account "A" with ES cluster setup from lambda in account "B"

Question

I have an AWS ElasticSearch Cluster in account "A".

I'm trying to create a lambda (triggered via API) in account "B" that will fetch data from ES in account "A".

I'm getting the following error:

"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"

My Access policy in ES Security Configuration:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            List of IP Addresses
          ]
        }
      }
    }
  ]
}

I modified the access policy with the following but still facing the same issue:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            List Of Ip Addresses
          ]
        }
      }
    }
  ]
}

Just to check. Would your lambda work perfectly fine if it was in the same account? — Marcin, Mar 07 '23 at 04:19

score 1 · Answer 1 · answered Mar 07 '23 at 19:36

Try to explicitly allow the role arn:aws:sts::AccountB:assumed-role/lambdaRole to perform all the actions on the Elasticsearch domain in AccountA.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "List of IP Addresses"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::AccountB:assumed-role/lambdaRole"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
    }
  ]
}

AWS ElasticSearch ESHttpPost to account "A" with ES cluster setup from lambda in account "B"

1 Answers1