I am trying to create a VPC controlled Elastic Search Service on AWS. The problem is I keep getting the error when I run the following code: 'ValidationException: Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC'.
const AWS = require('aws-sdk'); AWS.config.update({region:'<aws-datacenter>'}); const accessPolicies = { Statement: [{ Effect: "Allow", Principal: { AWS: "*" }, Action: "es:*", Resource: "arn:aws:es:<dc>:<accountid>:domain/<domain-name/*" }] }; const params = { DomainName: '<domain>', /* required */ AccessPolicies: JSON.stringify(accessPolicies), AdvancedOptions: { EBSEnabled: "true", VolumeType: "io1", VolumeSize: "100", Iops: "1000" }, EBSOptions: { EBSEnabled: true, Iops: 1000, VolumeSize: 100, VolumeType: "io1" }, ElasticsearchClusterConfig: { DedicatedMasterCount: 3, DedicatedMasterEnabled: true, DedicatedMasterType: "m4.large.elasticsearch", InstanceCount: 2, InstanceType: 'm4.xlarge.elasticsearch', ZoneAwarenessEnabled: true }, ElasticsearchVersion: '5.5', SnapshotOptions: { AutomatedSnapshotStartHour: 3 }, VPCOptions: { SubnetIds: [ '<redacted>', '<redacted>' ], SecurityGroupIds: [ '<redacted>' ] } }; const es = new AWS.ES(); es.createElasticsearchDomain(params, function (err, data) { if (err) { console.log(err, err.stack); // an error occurred } else { console.log(JSON.stringify(data, null, 4)); // successful response } });
The problem is I get this error: ValidationException: Before you can proceed, you must enable a service-linked role to give Amazon ES permissions to access your VPC. I cannot seem to figure out how to create this service linked role for the elastic search service. In the aws.amazon.com IAM console I cannot select that service for a role. I believe it is supposed to be created automatically.
Has anybody ran into this or know the way to fix it?
To create a service-linked role by using the IAM console: Navigate to the IAM console and choose Roles in the navigation pane. Choose Create new role. On the Select role type page, in the AWS service-linked role section, choose the AWS service for which you want to create the role.
Amazon Elasticsearch Service (Amazon ES) is an Amazon Web Services product that allows developers to launch and operate Elasticsearch -- an open-source, Java-based search and analytics engine -- in the AWS cloud.
A service-linked role is a unique type of IAM role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
The service-linked role can be created using the AWS CLI.
aws iam create-service-linked-role --aws-service-name es.amazonaws.com
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With