Configuring permissions when resources are in different accounts
If your OpenSearch Service and Amazon Personalize resources are in separate accounts, you create an IAM role in each account and grant the role access to the resources in the account.
To set up permissions for multiple accounts
-
In the account where your Amazon Personalize campaign exists, create an IAM role that has permission to get a personalized ranking from your Amazon Personalize campaign. When you configure the plugin, you specify the ARN for this role in the
external_account_iam_role_arnparameter of thepersonalized_search_rankingresponse processor. For more information, see Configuring the plugin.For a policy example, see Permissions policy example.
-
In the account where your OpenSearch Service domain exists, create a role with a trust policy that grants OpenSearch Service
AssumeRolepermissions. When you configure the plugin, you specify the ARN for this role in theiam_role_arnparameter of thepersonalized_search_rankingresponse processor. For more information, see Configuring the plugin.For a trust policy example, see Trust policy example.
-
Modify each role to grant the other role
AssumeRolepermissions. For example, for the role that has access to your Amazon Personalize resources, its IAM policy would grant the role in the account with the OpenSearch Service domain assume role permissions as follows:{ "Version": "2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<Account number for role with access to OpenSearch Service domain>:role/roleName" }] } -
In the account where your OpenSearch Service domain exists, grant the user or role that's accessing your OpenSearch Service domain
PassRolepermissions for the OpenSearch Service service role you just created. For more information, see Configuring Amazon OpenSearch Service domain security.