Menu
I can't access the indices tab of my ES domain in the AWS ElasticSearch console. Here is what it looks like in the console:
Even though I added my IAM ARN (arn:aws:iam::NNNNNNNNNNNNN:root) to the access policy of the console, I am still getting this error:
/_stats: {
"error":{
"root_cause":[
{
"type":"security_exception",
"reason":"no permissions for [indices:monitor/stats] and User [name=arn:aws:iam::NNNNNNNNNNNNN:root, backend_roles=[], requestedTenant=null]"
}
],
"type":"security_exception",
"reason":"no permissions for [indices:monitor/stats] and User [name=arn:aws:iam::NNNNNNNNNNNNN:root, backend_roles=[], requestedTenant=null]"
},
"status":403
}
Any idea what went wrong? The domain has access control with a master password as well.
493
Elasticsearch Service domains are Elasticsearch clusters created using the Elasticsearch Service console, CLI, or API. Each domain is the cluster in the cloud with the specified compute and storage resources. Enables you to create and delete domains, define infrastructure attributes, and control access and security.
Because Amazon Elasticsearch Service (Amazon ES) uses a REST API, numerous methods exist for indexing documents. You can use standard clients like curl or any programming language that can send HTTP requests. To further simplify the process of interacting with it, Amazon ES has clients for many programming languages.
Elasticsearch is a managed AWS (Amazon Web Services) service for Log analytics and management. A common use case is Monitoring Infrastructure or Application Performance and assist in failure diagnosis.
This RESTful API access is limited to the specific cluster and works only for Elasticsearch API calls. You are unable to make Elasticsearch Service platform changes from the Elasticsearch API. Log in to the Elasticsearch Service Console . Select your deployment on the home page in the Elasticsearch Service card or go to the deployments page.
Then check on enable audit logging. Back on the AWS Elastic search console, On the dashboard, click on your cluster and select the logs tab. Scroll down to Set up Audit logs. Click on enable and follow instructions to select a CloudWatch log group to publish your logs to.
It turns out my access policy setting itself was correct but if you have the master user account configured using the basic auth in your domain, the indices and the cluster health don't work. After I switched to ARN based master account, it worked.
146
For Googlers:
As of 2020/01, Amazon ES employs a trick way to determine how fine-granularity authorization is done.
The implications are:
This looks very confusing to users who see IAM users / roles mapped but only to find them unauthorized when accessing the domain.
As you can change master user (with down time) for ES domain, you can change it back and forth to avoid integrating with Cognito, but this is a pain.
This should be more clearly stated, or better emphasized in the official docs.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
