On AWS elastic search {"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}
Question:
I have created AWS elasticsearch domain
https://search-xx-xx.us-east-1.es.amazonaws.com/
On click both elastic url and kibana below is the error i got
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}
Below is code which is working fine
import boto3
from requests_aws4auth import AWS4Auth
from elasticsearch import Elasticsearch, RequestsHttpConnection
session = boto3.session.Session()
credentials = session.get_credentials()
awsauth = AWS4Auth(credentials.access_key,
credentials.secret_key,
session.region_name, 'es',
session_token=credentials.token)
es = Elasticsearch(
['https://search-testelastic-2276kyz2u4l3basec63onfq73a.us-east-1.es.amazonaws.com'],
http_auth=awsauth,
use_ssl=True,
verify_certs=True,
connection_class=RequestsHttpConnection
)
def lambda_handler(event, context):
es.cluster.health()
es.indices.create(index='my-index', ignore=400)
r = [{'Name': 'Dr. Christopher DeSimone', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Tajwar Aamir (Aamir)', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Bernard M. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Eliana M. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Joseph J. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Michael R. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Darryl H. Aarons', 'Specialised and Location': 'Health'},
{'Name': 'Dr. William B. Aarons', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Sirike T. Aasmaa', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Jacobo A. Abadi', 'Specialised and Location': 'Health'}]
for e in enumerate(r):
es.index(index="my-index", body=e[1])
Below is the access policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "*"
}
}
}
]
}
Answers:
This error would indicate your ElasticSearch service does not support anonymous requests (those not signed with valid IAM credentials).
Although your policy sees ok the official allow all policy looks like the below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*"
}
]
}
Try to use AWS Signature authentication method at the Postman, for tests.
In postman, go to Authorization
tab and under Type
, select AWS Signature
, get your AWS Access Key and Secret Key from Security Credentials
> Create Access Key
.
Add your region in postman and service name as es
and then hit Send
. It should work!
I have created AWS elasticsearch domain
https://search-xx-xx.us-east-1.es.amazonaws.com/
On click both elastic url and kibana below is the error i got
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}
Below is code which is working fine
import boto3
from requests_aws4auth import AWS4Auth
from elasticsearch import Elasticsearch, RequestsHttpConnection
session = boto3.session.Session()
credentials = session.get_credentials()
awsauth = AWS4Auth(credentials.access_key,
credentials.secret_key,
session.region_name, 'es',
session_token=credentials.token)
es = Elasticsearch(
['https://search-testelastic-2276kyz2u4l3basec63onfq73a.us-east-1.es.amazonaws.com'],
http_auth=awsauth,
use_ssl=True,
verify_certs=True,
connection_class=RequestsHttpConnection
)
def lambda_handler(event, context):
es.cluster.health()
es.indices.create(index='my-index', ignore=400)
r = [{'Name': 'Dr. Christopher DeSimone', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Tajwar Aamir (Aamir)', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Bernard M. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Eliana M. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Joseph J. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Michael R. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Darryl H. Aarons', 'Specialised and Location': 'Health'},
{'Name': 'Dr. William B. Aarons', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Sirike T. Aasmaa', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Jacobo A. Abadi', 'Specialised and Location': 'Health'}]
for e in enumerate(r):
es.index(index="my-index", body=e[1])
Below is the access policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "*"
}
}
}
]
}
This error would indicate your ElasticSearch service does not support anonymous requests (those not signed with valid IAM credentials).
Although your policy sees ok the official allow all policy looks like the below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*"
}
]
}
Try to use AWS Signature authentication method at the Postman, for tests.
In postman, go to Authorization
tab and under Type
, select AWS Signature
, get your AWS Access Key and Secret Key from Security Credentials
> Create Access Key
.
Add your region in postman and service name as es
and then hit Send
. It should work!