I have an ElasticSearch instance deployed in AWS which is pulically accessable. I can easily query data on localhost but when I deploy on Aws lambda I get the following error
Message: 'User: arn:aws:sts::xxxxxxxx:assumed-role/infrastruct-dev-us-east-2-lambdaRole/zeong-immigration-infrastruct-dev-app is not authorized to perform: es:ESHttpPost because no identity-based policy allows the es:ESHttpPost action'
This is my serverless.yaml
iamRoleStatements:
- Effect: Allow
Action:
- es:ESHttpPost
- es:ESHttpPut
- es:ESHttpDelete
- es:ESHttpGet
Resource:
- {'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn']}
- {
'Fn::Join':
[
'',
[
'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn'],
'/*',
],
],
}
Condition:
IpAddress:
aws:SourceIp:
- '0.0.0.0' # Whitelisted IP
resources:
Resources:
ElasticSearchInstance:
Type: AWS::Elasticsearch::Domain
Properties:
EBSOptions:
EBSEnabled: true
VolumeType: gp2
VolumeSize: 10
ElasticsearchClusterConfig:
InstanceType: t2.small.elasticsearch
InstanceCount: 1
DedicatedMasterEnabled: false
ZoneAwarenessEnabled: false
ElasticsearchVersion: 5.3
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
AWS: '*'
Action: 'es:*'
Resource: '*'
Condition:
IpAddress:
aws:SourceIp: ['182.177.251.40', '103.115.199.162']
AdvancedOptions:
rest.action.multi.allow_explicit_index: 'tru
e'
please help
CodePudding user response:
Try setting your ActionPolicies Action to
Action: [
"es:*"
],
It seems like you have forgotten the '[]'
View documentation here : https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html
CodePudding user response:
I was able to solve the above issue by using principal in the ElasticSearch Instance as mentioned here
Still the error was not solved so finally after removing the
Condition:
IpAddress:
aws:SourceIp:
- '0.0.0.0' # Whitelisted IP
from the IamRoleStatements I was able to solve the issue