I have created AWS elasticsearch domain
https://search-xx-xx.us-east-1.es.amazonaws.com/
On click both elastic url and kibana below is the error i got
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}
Below is code which is working fine
import boto3
from requests_aws4auth import AWS4Auth
from elasticsearch import Elasticsearch, RequestsHttpConnection
session = boto3.session.Session()
credentials = session.get_credentials()
awsauth = AWS4Auth(credentials.access_key,
credentials.secret_key,
session.region_name, 'es',
session_token=credentials.token)
es = Elasticsearch(
['https://search-testelastic-2276kyz2u4l3basec63onfq73a.us-east-1.es.amazonaws.com'],
http_auth=awsauth,
use_ssl=True,
verify_certs=True,
connection_class=RequestsHttpConnection
)
def lambda_handler(event, context):
es.cluster.health()
es.indices.create(index='my-index', ignore=400)
r = [{'Name': 'Dr. Christopher DeSimone', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Tajwar Aamir (Aamir)', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Bernard M. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Eliana M. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Joseph J. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Michael R. Aaron', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Darryl H. Aarons', 'Specialised and Location': 'Health'},
{'Name': 'Dr. William B. Aarons', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Sirike T. Aasmaa', 'Specialised and Location': 'Health'},
{'Name': 'Dr. Jacobo A. Abadi', 'Specialised and Location': 'Health'}]
for e in enumerate(r):
es.index(index="my-index", body=e[1])
Below is the access policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "*"
}
}
}
]
}
This error would indicate your ElasticSearch service does not support anonymous requests (those not signed with valid IAM credentials).
Although your policy sees ok the official allow all policy looks like the below
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*"
}
]
}