Amplify-cli: ElasticSearch Kibana: anonymous is not authorized to perform: es:ESHttpGet"
* Which Category is your question related to? *
API
* What AWS Services are you utilizing? *
ElasticSearch
* Provide additional details e.g. code snippets *
I use @searchable directive to enable ES in my app. It generates a domain in https://us-west-2.console.aws.amazon.com/es/home?region=us-west-2#. The domain looks like this:
However, if I click on Kibana: https://search-d-se4p7pnmfreddgjd6mkqpdosum-kimcwphpfebtwnbsesqyzxhdvu.us-west-2.es.amazonaws.com/_plugin/kibana/, I get {"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}.
Then I go to https://us-west-2.console.aws.amazon.com/es/home?region=us-west-2#domain:resource=d-se4p7pnmfreddgjd6mkqpdosum;action=access-policy trying to see my access policy. It is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::382750281432:role/AppSyncElasticSearchAccess-se4p7pnmfreddgjd6mkqpdosum"
},
"Action": [
"es:ESHttpDelete",
"es:ESHttpHead",
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:us-west-2:382750281432:domain/d-se4p7pnmfreddgjd6mkqpdosum/*"
}
]
}
What's wrong?
YikSanChan
All 3 comments
Solved by customer support 馃憤
Looks like how amplify-cli communicates with the (ES) domain is via the IAM role, which is fine for interacting with Elasticsearch but for Kibana access you need to provide IP based access, since Kibana in AWS ES does not support IAM user/role based access. So what you can do is to allow the IP address of your instance/dev machine manually in the AWS ES access policy and you should be able to access Kibana. Edit the access policy won't harm the application.
How to edit?
Why Kibana doesn't support IAM user/role based access?
Remember if you need to use IAM role or user to access the domain, then the HTTP request needs to be signed with the corresponding IAM credentials. So, here in this case since Kibana access requires continuous signing requests of such manner and this needs to be developed by the client app interacting with the domain.
Hope it helps.
YikSanChan
on 6 Jan 2019
For my case it doesn't work even after IP provided, still showing below message both for ES and Kibana UI,
Note: The same Access policy works for my other AWS ES domain but this new domain it is showing this msg
{
"Message": "User: anonymous is not authorized to perform: es:ESHttpGet"
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:54545454454545:domain/sanytest/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"86..89.89.67",
"103.241.40.246"
]
}
}
}
]
}
sany2k8
on 11 Oct 2020
@sany2k8 did you get this to work? I had this working on a m3.medium.elasticsearch but it's not working using t3.small.elasticsearch, which instance type are you running on?
robinsmedberg
on 13 Oct 2020
Related issues
zjullion
路
3Comments
gabriel-wilkes
路
3Comments
davo301
路
3Comments
ReidWeb
路
3Comments
onlybakam
路
3Comments
Most helpful comment
Solved by customer support 馃憤
How to edit?
Why Kibana doesn't support IAM user/role based access?
Hope it helps.