Configuring permissions when resources are in the same account
If your OpenSearch Service and Amazon Personalize resources are in the same account, you must create an IAM service role for OpenSearch Service. This role must have permission to get a personalized ranking from your Amazon Personalize campaign. The following is required to grant your OpenSearch Service service role permission to get a personalized ranking from your Amazon Personalize campaign:
-
The role's trust policy must grant
AssumeRolepermissions for OpenSearch Service. For a trust policy example, see Trust policy example. -
The role must have permission to get a personalized ranking from your Amazon Personalize campaign. For a policy example, see Permissions policy example.
For information about creating an IAM role, see Creating IAM roles in the IAM User Guide. For information on attaching an IAM policy to role, see Adding and removing IAM identity permissions in the IAM User Guide.
After you create an IAM service role for OpenSearch Service, you must grant the user or role that's accessing your OpenSearch Service domain PassRole permissions for the
OpenSearch Service service role. For more information, see Configuring Amazon OpenSearch Service domain security.
Trust policy example
The following trust policy example grants AssumeRole permissions for OpenSearch Service.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "Service": [ "es.amazonaws.com" ] } }] }
Permissions policy example
The following policy example grants the role the minimum permissions to get a personalized ranking from your
Amazon Personalize campaign. For Campaign ARN, specify the Amazon Resource Name (ARN) of your Amazon Personalize campaign.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "personalize:GetPersonalizedRanking" ], "Resource": "Campaign ARN" } ] }