I have an ElasticSearch instance deployed in AWS which is pulically accessable. I can easily query data on localhost but when I deploy on Aws lambda I get the following error
Message: ‘User: arn:aws:sts::xxxxxxxx:assumed-role/infrastruct-dev-us-east-2-lambdaRole/zeong-immigration-infrastruct-dev-app is not authorized to perform: es:ESHttpPost because no identity-based policy allows the es:ESHttpPost action’
This is my serverless.yaml
iamRoleStatements:
- Effect: Allow
Action:
- es:ESHttpPost
- es:ESHttpPut
- es:ESHttpDelete
- es:ESHttpGet
Resource:
- {'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn']}
- {
'Fn::Join':
[
'',
[
'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn'],
'/*',
],
],
}
Condition:
IpAddress:
aws:SourceIp:
- '0.0.0.0' # Whitelisted IP
resources:
Resources:
ElasticSearchInstance:
Type: AWS::Elasticsearch::Domain
Properties:
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 10
ElasticsearchClusterConfig:
InstanceType: t2.small.elasticsearch
InstanceCount: 1
DedicatedMasterEnabled: false
ZoneAwarenessEnabled: false
ElasticsearchVersion: 5.3
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
AWS: '*'
Action: 'es:*'
Resource: '*'
Condition:
IpAddress:
aws:SourceIp: ['182.177.251.40', '103.115.199.162']
AdvancedOptions:
rest.action.multi.allow_explicit_index: 'tru
e'
please help
2
Answers
I was able to solve the above issue by using principal in the ElasticSearch Instance as mentioned here
Still the error was not solved so finally after removing the
from the IamRoleStatements I was able to solve the issue
Try setting your ActionPolicies Action to
It seems like you have forgotten the ‘[]’
View documentation here : https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html