0

I used to have an ElasticSearch Service instance (t2.micro.search) set up to enable a search functionality for an app hosted on Heroku. That old setup was working fine.

I now tried to set up a new instance (t3.small.search) using the same settings as the previous one. However, when I tried to build the index from Heroku, I got this error:

TransportError(403, '{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost with an explicit deny in a resource-based policy"}'

I realized my access policy has "Deny" instead of "Allow" I had before:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:000000000000:domain/my-domain/*"
    }
  ]
}

I tried to change it to "Allow" but the console would not allow me to save the settings ("Apply a restrictive access policy to your domain").

Does somebody know how to set up the access policy so I can continue to use AWS OpenSearch for a Heroku app?

apiljic
  • 527
  • 4
  • 14
  • Hey @apiljic how's your progress coming along on this? I just started working on the same stack and coming into issues left and right and sort of shocked by how limited the amount of documentation seems to be out there on this. Maybe we can help each other out. – Joshua Book Jun 06 '23 at 16:42
  • Hi Joshua. I upgraded elasticsearch to 7.10. For that version (maybe even 6), "fine-grained access control" can be enabled. If you do that and select "set IAM ARN as master user", then the above policy can be set with "Allow" and everything works. Hope this helps. – apiljic Jun 08 '23 at 01:01

0 Answers0