Dealing with 403 Access Policy Issue in AWS Opensearch Setup Job

Original Slack Thread

opensearch setup job fails with 403 - access policy issue. Hey guys, we have datahub setup with aws eks, using AWS opensearch. Everything works fine if I have the access policy of:new PolicyStatement({
actions: [‘es:*’],
effect: Effect.ALLOW,
principals: [new AnyPrinciple()],
resources: [arn:aws:es:us-east-1:${_this_.accountId}:domain/domain/*]
}) but if i try and limit it to any specific role I get 403 errors. Even limiting it to AccountPrinciple(account_id) fails with 403. What is going on here and what is the solution? Thanks.

Hey Ryan! <@U03MF8MU5P0> might be able to point you in the right direction…

Can you share the logs and container in question? The code is definitely was written for earlier versions of elasticsearch (not opensearch) and I believe OpenSearch’s fine-grained permissions has diverged from elasticsearch quite a bit. It would help to get some context on which container, the request its making to opensearch, both should be in the logs. Thanks!