Tutorial: Configure a domain with an IAM master user and Amazon Cognito authentication - Amazon OpenSearch Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tutorial: Configure a domain with an IAM master user and Amazon Cognito authentication

This tutorial covers a popular Amazon OpenSearch Service use case for fine-grained access control: an IAM master user with Amazon Cognito authentication for OpenSearch Dashboards.

In the tutorial, we'll configure a master IAM role and a limited IAM role, which we'll then associate with users in Amazon Cognito. The master user can then sign in to OpenSearch Dashboards, map the limited user to a role, and use fine-grained access control to limit the user's permissions.

Although these steps use the Amazon Cognito user pool for authentication, this same basic process works for any Cognito authentication provider that lets you assign different IAM roles to different users.

You'll complete the following steps in this tutorial:


In order to perform the steps in this tutorial, you must complete the following prerequisites:

The user pool and identity pool must be in the same Amazon Web Services Region.

Step 1: Create master and limited IAM roles

Navigate to the Amazon Identity and Access Management (IAM) console and create two separate roles:

  • MasterUserRole – The master user, which will have full permissions to the cluster and manage roles and role mappings.

  • LimitedUserRole – A more restricted role, which you'll grant limited access to as the master user.

For instructions to create the roles, see Creating a role using custom trust policies.

Both roles must have the following trust policy, which allows your Cognito identity pool to assume the roles:

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "identity-pool-id" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } }] }

Replace identity-pool-id with the unique identifier of your Amazon Cognito identity pool. For example, us-east-1:0c6cdba7-3c3c-443b-a958-fb9feb207aa6.

Step 2: Create a domain with Cognito authentication

Navigate to the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/home/ and create a domain with the following settings:

  • OpenSearch 1.0 or later, or Elasticsearch 7.8 or later

  • Public access

  • Fine-grained access control enabled with MasterUserRole as the master user (created in the previous step)

  • Amazon Cognito authentication enabled for OpenSearch Dashboards. For instructions to enable Cognito authentication and select a user and identity pool, see Configuring a domain to use Amazon Cognito authentication.

  • The following domain access policy:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "*" ] }, "Action": [ "es:ESHttp*" ], "Resource": "arn:aws:es:region:account:domain/domain-name/*" } ] }
  • HTTPS required for all traffic to the domain

  • Node-to-node encryption

  • Encryption of data at rest

Step 3: Configure Cognito users and groups

While your domain is being created, configure the master and limited users and groups within Amazon Cognito.

  1. Navigate to the Amazon Cognito console at https://console.aws.amazon.com/cognito/v2/ and choose User pools.

  2. Choose your user pool to open its configuration, then choose Create user.

  3. Specify a username of master-user and a password, and then choose Create user.

  4. Create another user named limited-user.

  5. Go to the Groups tab and choose Create group. Name the group master-user-group.

  6. Select MasterUserRole in the IAM role dropdown, and then choose Create group.

  7. Create another group named limited-user-group that uses the LimitedUserRole IAM role.

Then, add the users to their corresponding groups.

  1. Choose master-user-group, choose Add user to group, and select master-user.

  2. Choose limited-user-group, choose Add user to group, and select limited-user.

Lastly, configure your identity pool.

  1. Go to the App integration tab. Under App clients and analytics, note the client ID for your domain.

  2. Choose Federated Identities from the left navigation pane.

  3. Select your identity pool and choose Edit identity pool.

  4. Expand Authentication providers, find your user pool ID and the app client ID for your domain, and change Use default role to Choose role from token.

  5. For Role resolution, choose DENY. With this setting, users must be in a group to receive an IAM role after authenticating.

  6. Choose Save Changes.

Step 4: Map roles in OpenSearch Dashboards

Now that your users and groups are configured, you can sign in to OpenSearch Dashboards as the master user and map users to roles.

  1. Go back to the OpenSearch Service console and navigate to the OpenSearch Dashboards URL for the domain you created. The URL follows this format: domain-endpoint/_dashboards/.

  2. Sign in with the master-user credentials.

  3. Choose Add sample data and add the sample flight data.

  4. In the left navigation pane, choose Security, Roles, Create role.

  5. Name the role new-role.

  6. For Index, specify opensearch_dashboards_sample_data_fli* (kibana_sample_data_fli* on Elasticsearch domains).

  7. For Index permissions, choose read.

  8. For Document level security, specify the following query:

    { "match": { "FlightDelay": true } }
  9. For field-level security, choose Exclude and specify FlightNum.

  10. For Anonymization, specify Dest.

  11. Choose Create.

  12. Choose Mapped users, Manage mapping. Add the Amazon Resource Name (ARN) for LimitedUserRole as an external identity and choose Map.

  13. Return to the list of roles and choose opensearch_dashboards_user. Choose Mapped users, Manage mapping. Add the ARN for LimitedUserRole as a backend role and choose Map.