Permissions to access ElasticSearch from Lambda?

Question

I'm trying to use Elasticsearch for data storage for a Lambda function connected to Alexa Skills Kit. The Lambda works alright without Elasticsearch but ES provides much-needed fuzzy matching.

The only way I've been able to access it from Lambda is by enabling Elasticsearch global access but that's a really bad idea. I've also been able to access from my computer via open access policy or IP address policy. Is there a way to do read-only access via Lambda and read-write via IP?

On IAM I granted my Lambda role AmazonESReadOnlyAccess. On the ES side I tried this but it only worked for IP address:

{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Principal": {         "AWS": [           "arn:aws:iam::NUMBER:root",           "arn:aws:iam::NUMBER:role/lambda_basic_execution"         ]       },       "Action": "es:*",       "Resource": "arn:aws:es:us-east-1:NUMBER:domain/NAME/*"     },     {       "Sid": "",       "Effect": "Allow",       "Principal": {         "AWS": "*"       },       "Action": "es:*",       "Resource": "arn:aws:es:us-east-1:NUMBER:domain/NAME/*",       "Condition": {         "IpAddress": {           "aws:SourceIp": "MY IP"         }       }     }   ] } 

This forum post asks the same question but went unanswered.

Answer 1

The only way I know of to do this is to use a resource-based policy or an IAM-based policy on your ES domain. This would restrict access to a particular IAM user or role. However, to make this work you also need to sign your requests to ES using SigV4.

There are libraries that will do this signing for you, for example this one extends the popular Python requests library to sign ElasticSearch requests via SigV4. I believe similar libraries exist for other languages.

Answer 2

Now it's possible from your code with elasticsearch.js. Before you try it, you must install http-aws-es module.

const AWS = require('aws-sdk'); const httpAwsEs = require('http-aws-es'); const elasticsearch = require('elasticsearch');  const client = new elasticsearch.Client({     host: 'YOUR_ES_HOST',     connectionClass: httpAwsEs,     amazonES: {         region: 'YOUR_ES_REGION',         credentials: new AWS.EnvironmentCredentials('AWS')     } });  // client.search({...}) 

Of course, before using it, configure access to elasticsearch domain: