Configuring Amazon OpenSearch Service domain security
To use the plugin with OpenSearch Service, the user or role that's accessing your domain must have PassRole
permissions for the IAM service role for OpenSearch Service you just created. Also, the user or
role must have permission to perform the es:ESHttpGet
and es:ESHttpPut
actions.
For information about configuring access to OpenSearch Service, see Security in Amazon OpenSearch Service in the Amazon OpenSearch Service Developer Guide. For policy examples, see Policy examples for OpenSearch Service user or role.
Policy examples for OpenSearch Service user or role
The following IAM policy example grants a user or role PassRole
permissions for the IAM service role
that you created for OpenSearch Service in Configuring permissions when resources are in the same
account.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "
OpenSearch Service role ARN
" } ] }
The following IAM policy grants the minimum permissions to create pipelines and search queries with OpenSearch Service.
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "es:ESHttpGet", "es:ESHttpPut" ], "Effect": "Allow", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:ResourceTag/environment": [ "production" ] } } } ] }