skip to Main Content

I have an ElasticSearch instance deployed in AWS which is pulically accessable. I can easily query data on localhost but when I deploy on Aws lambda I get the following error

Message: ‘User: arn:aws:sts::xxxxxxxx:assumed-role/infrastruct-dev-us-east-2-lambdaRole/zeong-immigration-infrastruct-dev-app is not authorized to perform: es:ESHttpPost because no identity-based policy allows the es:ESHttpPost action’

This is my serverless.yaml

    iamRoleStatements:
      - Effect: Allow
      Action:
        - es:ESHttpPost
        - es:ESHttpPut
        - es:ESHttpDelete
        - es:ESHttpGet
      Resource:
        - {'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn']}
        - {
            'Fn::Join':
              [
                '',
                [
                  'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn'],
                  '/*',
                ],
              ],
          }
      Condition:
        IpAddress:
          aws:SourceIp:
            - '0.0.0.0' # Whitelisted IP
  resources:
   Resources:
    ElasticSearchInstance:
      Type: AWS::Elasticsearch::Domain
      Properties:
        EBSOptions:
          EBSEnabled: true
          VolumeType: gp2
          VolumeSize: 10
        ElasticsearchClusterConfig:
          InstanceType: t2.small.elasticsearch
          InstanceCount: 1
          DedicatedMasterEnabled: false
          ZoneAwarenessEnabled: false
        ElasticsearchVersion: 5.3
        AccessPolicies:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Principal:
                AWS: '*'
              Action: 'es:*'
              Resource: '*'
              Condition:
                IpAddress:
                  aws:SourceIp: ['182.177.251.40', '103.115.199.162']
        AdvancedOptions:
          rest.action.multi.allow_explicit_index: 'tru

e'

please help

2

Answers


  1. Chosen as BEST ANSWER

    I was able to solve the above issue by using principal in the ElasticSearch Instance as mentioned here

    Still the error was not solved so finally after removing the

      Condition:
        IpAddress:
          aws:SourceIp:
            - '0.0.0.0' # Whitelisted IP
    

    from the IamRoleStatements I was able to solve the issue


  2. Try setting your ActionPolicies Action to

    Action: [
        "es:*"
    ],
    

    It seems like you have forgotten the ‘[]’

    View documentation here : https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search