AWS Elasticsearch Kibana with Cognito - Missing role

Question

Following this article to set up Cognito auth for AWS Elasticsearch.

https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/

Getting an error:

Open Distro for Elasticsearch

Missing Role

No roles available for this user, please contact your system administrator.

Anybody knows why I could get it?

Answer 1

The crucial missing part was the below:

• navigate to the Elastisearch domain on your AWS Elasticsearch console page
• After this, click on the “Actions” button -> “Modify master user"
• Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
• click Submit

Answer 2

If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.

Alternatively you can configure the master user role same as Cognito Authenticated role ARN.