Can I use Amazon's Elasticsearch with Rails searchkick gem securely?

Question

I want to know if and how I can use searchkick with Amazon's Elasticsearch securely.

Bellow is an image of the access options. IP Address isn't ideal as the server IP could change.

If I limit access to one or more AWS accounts or IAM users, then I'm not sure how to authenticate from the rails app.

Answer 1

You can make signed, secure requests to Amazon Elasticsearch from Ruby. I did the following with an app on Heroku.

Ensure you have elasticsearch gem >= v1.0.15 as support for this was only implemented there Dec 4th, 2015.

You also need this gem:

gem 'faraday_middleware-aws-signers-v4'

Example from the elasticsearch-ruby/elasticsearch-transport documentation:

You can use any standard Faraday middleware and plugins in the configuration block, for example sign the requests for the AWS Elasticsearch service:

With the following code:

require 'faraday_middleware/aws_signers_v4'

client = Elasticsearch::Client.new(url: ENV['AWS_ENDPOINT_URL']) do |f|
  f.request :aws_signers_v4,
            credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']),
            service_name: 'es',
            region: 'us-east-1'
end

This also works with the searchkick gem with Rails. Set Searchkick.client using the above example, in an initializer:

# config/initializers/elasticsearch.rb
require 'faraday_middleware/aws_signers_v4'

Searchkick.client = Elasticsearch::Client.new(url: ENV['AWS_ENDPOINT_URL']) do |f|
  f.request :aws_signers_v4,
            credentials: Aws::Credentials.new(ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']),
            service_name: 'es',
            region: 'us-east-1'
end