Following this article to set up Cognito auth for AWS Elasticsearch.
https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/
Getting an error:
Open Distro for Elasticsearch
Missing Role
No roles available for this user, please contact your system administrator.
Anybody knows why I could get it?
The crucial missing part was the below:
navigate to the Elastisearch domain on your AWS Elasticsearch console page
After this, click on the “Actions” button -> “Modify master user"
Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
click Submit
If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.
Alternatively you can configure the master user role same as Cognito Authenticated role ARN.
Related
I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
AWS Elasticsearch fine grained access control uses Open Distro Elasticsearch security. Using this feature authorization can be handled inside the Elasticsearch. https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#create-roles
AWS Documentation suggests to use the Open Distro Elasticsearch documentation, to use security Rest APIs, such as creating role or reading role.
You can create new roles for fine-grained access control using Kibana or the _opendistro/_security operation in the REST API. For more information, see the Open Distro for Elasticsearch documentation.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html
There are roles inside Elasticsearch using which we can control the authorization permissions of IAM user/role. This is done using Role mapping by adding IAM user into Users list or IAM role into backend role.
I added my IAM role into Elasticsearch backend role and I am able to execute below APIs,
PUT /my_index
PUT /_template/template_for_my_index
But when I execute below API, I am getting below response.
PATCH /_opendistro/_security/api/rolesmapping/my_role_inside_elasticsearch
{'statusCode': 200, 'headers': {'Access-Control-Allow-Origin': '*'}, 'isBase64Encoded': False, 'body': '{"status":"FORBIDDEN","message":"No permission to access REST API: User arn:aws:iam::123456789:role/myIamRole with Open Distro Security Roles [all_access] does not have any role privileged for admin access. No ssl info found in request."}'}
I tried adding IAM role into Elasticsearch all_access and also into my own Elasticsearch role which has * permissions(all permissions).
How to grant access to IAM Role/User to create role inside AWS Elasticsearch?
Note: IAM Roles and Elasticsearch Roles are different.
To grant permission to an IAM user/role to access opendsitro apis, you have to give the IAM entity permissions similar to master user. You have two options to do so:
Either make that IAM entity the new master user via aws opensearch cli/console.
Map the IAM user/role to all_access as well as security_manager thereby adding it as an additional master user.
Note: For IAM user, the arn needs to be added under users, whereas for IAM role, the arn needs to be added under backend_roles in the role mapping section.
More details: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters
Can you clarify if you were able to successfully map the IAM user/role to all_access? Your question is not clear on that.
I am trying to embed a AWS Quiksight Dashboard in one of my application. I have followed all the steps mentioned in the AWS guide - https://docs.aws.amazon.com/quicksight/latest/user/embedded-dashboards-setup.html
I have created the AWS role with the required policy, at the last step when I try t fetch the embedded dashboard URL, I get the following error. Not sure what is the issue.
The function I call is
response1 = client.get_dashboard_embed_url(
AwsAccountId="999999999999",
DashboardId='29dfd0b7-844e-4867-9a3c-77acdd647d1d',
IdentityType='IAM',
SessionLifetimeInMinutes=120,
UserArn=arn
)
Value 'arn:aws:iam::9999999999999:role/EmbeddQuickSight' at 'userArn' failed to satisfy constraint: Specified resource is not reachable in this region ('us-east-1' )
According to the documentation, UserArn can't be an IAM role. It needs to be one of the following:
Active Directory (AD) users or group members
Invited nonfederated users
IAM users and IAM role-based sessions authenticated through Federated Single Sign-On using SAML, OpenID Connect, or IAM federation.
I could imagine that this is the underlying issue.
I would like to setup a custom domain for Cognito.( it's on App Integration -> Domain Name). I am trying to follo this: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html#cognito-user-pools-add-custom-domain-adding, but I am little bit confused on step 3.
On step 3: To set up a custom domain name or to update its
certificate, you must have permission to update Amazon CloudFront
distributions. You can do so by attaching the following IAM policy
statement to an IAM user, group, or role in your AWS account:
I need to "attach" a permission for Cognito to create a Cloud Front Distribuition, but the documentation didn't say how to do it.
I have created a role with trust relantionship for cognito id... But it's still not able to create cloud front...And no error message...
while testing the chatbot using messenger, it shows "Error: The IAM Role is not properly configured for Lex"
how to IAM in aws such that it should work using IAM role
For my app, the IAM role is 'AWSServiceRoleForLexBots', and it integrates with the Facebook messenger.
If you navigate to 'Security, Identity & Compliance' services on AWS console, pick IAM. Further, under 'Create individual IAM users', check the 'Access Advisor' section in the user configuration.
If you have the Administrator access, AWS should create 'AWSServiceRoleForLexBots' automatically for your profile.
Hope it helps!