Access to AWS Opensearch in a VPC using IAM Role (ec2 instance profile)

Question

I have an OpenSearch domain set up within a VPC, and there is an EC2 instance running in the same VPC. The EC2 instance has an IAM role attached to its instance profile, granting full permissions to access the OpenSearch domain. However, when attempting to read or write to the domain from the EC2 instance, a 401 Unauthorized error is encountered.

For example

I can do whatever I wish with OpenSearch domain using aws cli on this ec2. for example

aws opensearch upgrade-domain --domain-name opensearch-blui --target-version OpenSearch_2.5 works but when I try to create an index in the cluster, it fails. curl -XPUT https://opensearch.lol.net/movies/_doc/1 -d '{"director": "Burton, Tim", "genre": ["Comedy","Sci-Fi"], "year": 1996, "actor": ["Jack Nicholson","Pierce Brosnan","Sarah Jessica Parker"], "title": "Mars Attacks!"}' -H 'Content-Type: application/json'

Unauthorized

Is it not possible to use IAM to authenticate with Opensearch to make actual use of it?

Answer 1

Some ideas:

• Check the IAM policy associated with the IAM role. It should have the correct permissions for OpenSearch. Here is an example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "es:*",
      "Resource": "arn:aws:es:REGION:ACCOUNT_ID:domain/DOMAIN_NAME/*"
    }
  ]
}

• Verify that your VPC Security Group allows inbound and outbound access between your EC2 instance and your OpenSearch domain.

• The OpenSearch domain's access policy should be configured to permit access from the IAM role attached to your EC2 instance.

• Confirm that your EC2 instance is indeed associated with the IAM role. Note: It can sometimes take a few minutes for the new permissions to propagate throughout AWS.

• When making requests to the OpenSearch domain, ensure that you're using AWS Signature Version 4 signing process. AWS OpenSearch Service requires all incoming requests to be signed using Signature Version 4