I am trying to connect my EC2 instance to my ES domain and keep getting the following error:
AuthorizationException(403, 'security_exception', 'no permissions for [indices:data/read/search] and User [name=arn:aws:iam::ACCOUNT_ID:role/my-role, backend_roles=[arn:aws:iam::ACCOUNT_ID:role/my-role], requestedTenant=null]')
Elasticsearch configuration:
public domain
fine-grained access control via IAM
access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_ID:role/my-role"
},
"Action": "es:*",
"Resource": "arn:aws:es:REGION:ACCOUNT_ID:domain/test/*"
}
]
}
EC2 Configuration:
using IAM role my-role
with permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
All HTTP requests sent from EC2 to ES are being signed. I have already verified signing works: if I use the security credentials of the IAM user that I also set as the IAM ARN master user when setting up my ES domain the requests between EC2 and ES work as expected.
The issue might be with fine-grained access control in ES. Same issue is mentioned here
If you want to connect to same ES cluster with FGAC from EC2 instance then you need to map EC2 IAM role with backend kibana roles. First you need to login to kibana with master user and then follow steps from doc to map EC2 IAM role to kibana 'all_access' role
Related
I am creating configuring a AWS DMS to migrate my RDS database to the S3 bucket. I created the instance and the source endpoint. There was no issue creating them. Now, I am creating a target endpoint choosing the S3 as the source. Before I create the target, I created a new policy with the following content.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::buckettest2/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::buckettest2"
]
}
]
}
Then I created a new IAM role called SharKyaMalS3FullAccess and I attached the policy I created to that role. When I create the target endpoint using that role. I am getting the following error.
SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::xxxxxxxxx:role/SharKyaMalS3FullAccess is not configured properly.AccessDenied
What is wrong with my configuration and how can I fix it?
Your policy looks correct, so make sure when you create the IAM role you pick DMS as the AWS service. This will add the DMS service as a trusted entity.
{
"Version": "2012-10-17",
"Id": "Policy1612574490300",
"Statement": [
{
"Sid": "Stmt1612574488073",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:ec2:us-east-1:258977512672:instance/i-041123c1993c370ba"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
]
}
response is Invalid Principal. I dont see why it's invalid.
An EC2 instance isn't a valid principal. I think what you actually need to do here is use the ARN of the IAM role assigned to the EC2 instance.
You can specify following Principal in a policy
AWS account and root user
IAM users
Federated users (using web identity or SAML federation)
IAM roles
Assumed-role sessions
AWS services
Anonymous users (not recommended)
S3 Documentation Principal
AWS JSON policy elements: Principal
If you wanna give that instant access to the bucket then you can use Instance profiles
Background
Wiring
I have an Elasticsearch cluster on AWS Elasticsearch Service. It has a Kibana endpoint enabled. Cognito provides the AWS role based on the user's group.
Cognito groups and AWS roles
The AWS role that is set to the group viewer by AWS Cognito is arn:aws:iam:123:role/kibana-viewer.
The AWS role that is set to the group admin by AWS Cognito is arn:aws:iam:123:role/kibana-admin.
Desired restriction
Only admin group should have access to a specific index pattern when using Kibana to view the data. The limited index Elasticsearch pattern is secret-*.
The viewer group should not be able to access secret-* via Kibana.
Question
How can I prevent only the role arn:aws:iam:123:role/kibana-viewer from accessing secret-* index pattern in the AWS Elasticsearch cluster?
What I have tried
First attempt
Setting the following statement in access policy:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:123:role/kibana-viewer"
},
"Action": "es:*",
"Resource": "arn:aws:es:my-region:123:domain/my-domain/*"
}
The viewer was able to access index secret-1.
Second attempt
Setting the above Resource to arn:aws:es:my-region:123:domain/my-domain/secret-*, a viewer can't login due to:
User: x:x:x::xx:x is not authorized to perform: es:ESHttpGet
Third attempt
Setting both statements:
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam:123:role/kibana-viewer"
},
"Action": "es:ESHttpGet",
"Resource": "arn:aws:es:my-region:123:domain/my-domain/secret-*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:123:role/kibana-viewer"
},
"Action": "es:ESHttpGet",
"Resource": "arn:aws:es:my-region:123:domain/my-domain/*"
}
A viewer can login to Kibana but can't see any data due to 403 error on API call _plugin/kibana/api/saved_objects/?type=index-pattern&per_page=10000.
I was not able to solve it using AWS Elasticsearch.
However, I was able to get the desired result usin Open Distro for Elasticsearch on EC2. Also wrote a detailed blog post about it.
In S3, can we create an IAM user and give it rights to create other IAM users?
S3 and IAM are 2 different AWS services. S3 has nothing to do with IAM user creation.
I'll go ahead and assume that you meant creating an IAM user with permissions to create other users.
Yes, it is possible to do so. You just have to attach a suitable IAM policy to the newly created user. Following policy should get you started.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey"
],
"Resource": "*"
}
]
}
The policy specified by Maverick in the above answer can create a new user and create access and secret keys for the user. However, it cannot create or attach any policies to the created user. So, I'm adding the required permission to create and attach IAM and inline policies for IAM users.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:CreateUser",
"iam:PutUserPolicy"
],
"Resource": "*"
}
]
}
Refer this for more information about actions related to Identity and Access Management (IAM) in AWS: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html
I have an IAM Role for my Federated Identity Pool in Cognito. I want to give this role access to my Elasticsearch domain.
I added an inline policy to give read access to my Elasticsearch domain name using the new visual editor. I've attached this policy below.
I'm confused how to configure the access policy now for the Elasticsearch domain to give access to my IAM Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "es:ListTags",
"Resource": "arn:aws:es:us-west-2:ACCOUNT_ID:domain/DOMAIN_NAME"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "*"
}
]
}
EDIT: I was still never able to figure this out. We also tried locking things down with a VPN but then we were not able to access services like Kibana.