I am running my code in AWS Lambda to push data into AWS OpenSearch. I have provided full permissions (es:* and aoss:*) for the user whose credentials I am using to PUT/DELETE data into OpenSearch. But, I am getting the following error...
{
"name": "ResponseError",
"meta": {
"body": {
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "Authorization failure for the following indices: [trip-list]"
}
],
"type": "security_exception",
"reason": "Authorization failure for the following indices: [trip-list]"
},
"status": 403
},
"statusCode": 403,
"headers": {
"date": "Sun, 09 Jul 2023 16:13:35 GMT",
"content-type": "application/json; charset=UTF-8",
"content-length": "241",
"x-envoy-upstream-service-time": "75",
"server": "aoss-amazon-i",
"x-request-id": "143de425-85d0-9851-9d8f-406091505e0d"
},
"meta": {
"context": null,
"request": {
"params": {
"method": "PUT",
"path": "/trip-list/_doc/34c41782-21ed-4bdf-8900-2e1847d63080",
"body": "{\"id\":\"34c41782-21ed-4bdf-8900-2e1847d63080\",\"a\":\"US_Mexico_Trip\",\"b\":2000,\"c\":20230706113628772}",
"querystring": "",
"headers": {
"user-agent": "opensearch-js/1.2.0 (linux 4.14.255-311-248.529.amzn2.x86_64-x64; Node.js v18.16.0)"
},
"timeout": 30000
},
"options": {},
"id": 1
},
"name": "opensearch-js",
"connection": {
"url": "https://xxxxxxxxxxxxx.eu-west-1.aoss.amazonaws.com/",
"id": "https://xxxxxxxxxxxxx.eu-west-1.aoss.amazonaws.com/",
"headers": {},
"deadCount": 0,
"resurrectTimeout": 0,
"_openRequests": 0,
"status": "alive",
"roles": {
"master": true,
"data": true,
"ingest": true
}
},
"attempts": 0,
"aborted": false
}
}
}
Following is the code I have written in Lambda
import AWS from 'aws-sdk';
import { Client } from "@opensearch-project/opensearch";
import { AwsSigv4Signer } from '@opensearch-project/opensearch/aws';
export const handler = async (event) => {
AWS.config.update({
accessKeyId: "xxxxxxxxxxxxx",
secretAccessKey: "xxxxxxxxxxxxx"
});
const client = new Client({
...AwsSigv4Signer({
region: 'eu-west-1',
service: 'aoss',
getCredentials: () =>
new Promise((resolve, reject) => {
AWS.config.getCredentials((err, credentials) => {
if (err) {
reject(err);
} else {
resolve(credentials);
}
});
}),
}),
node: 'https://xxxxxxxxxxxxx.eu-west-1.aoss.amazonaws.com', // OpenSearch domain URL
});
var index_name = "trip-list";
for (const record of event.Records) {
const eventName = record.eventName;
const dynamodbItem = AWS.DynamoDB.Converter.unmarshall(record.dynamodb.NewImage);
if (eventName === 'INSERT' || eventName === 'MODIFY') {
const PK = dynamodbItem.PK;
const SK = dynamodbItem.SK;
const a = dynamodbItem.a
const b = dynamodbItem.b
const c = dynamodbItem.c;
// Create an Elasticsearch document from the extracted data
const document = {
id: SK,
a,
b,
c
};
try {
var response = await client.index({
id: SK,
index: index_name,
body: document
});
console.log("UPDATED SUCCESSFULLY -> ")
console.log(response)
} catch (error) {
console.error('Error indexing document:');
console.error(JSON.stringify(error))
}
} else if (eventName === 'REMOVE') {
const SK = dynamodbItem.SK;
// Delete the corresponding document from Elasticsearch
try {
var response = await client.delete({
index: index_name,
id: SK
});
console.log('Document deleted successfully:', JSON.stringify(response));
} catch (error) {
console.error('Error deleting document:');
console.error(JSON.stringify(error))
}
}
}
}
The role which is assigned to Lambda has also been given full permission (es.* and aoss.*). Then, why am I still getting Authorization failure for the following indices: [trip-list].
