I am trying to do a quick poc between Appsync (graphql) and ElasticSearch(V7.10) but i am getting the below communication error when Appsync(resolver) is trying to invoke ES . Its a simple graphql query.
i tried following this tutorial for this poc : https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-elasticsearch-resolvers.html
Cloudwatch Logs is enabled for both appsync and elasticsearch, but not much on this error. Any help on this is much appreciated.
Bellow are the details.
ES : Version 7.10 (also tried with OpenSearch 1.0, but same error), its within the vpc, appsync is created withing the same region as the vpc.
Error :
{
"data": {
"allPosts": null
},
"errors": [
{
"path": [
"allPosts"
],
"data": null,
"errorType": "OpenSearch:RuntimeException",
"errorInfo": null,
"locations": [
{
"line": 2,
"column": 3,
"sourceName": null
}
],
"message": "Communication error while executing a request to OpenSearch."
}
]
}
Request Mapping Template (Resolver)
{
"version":"2017-02-28",
"operation":"GET",
"path":"/item_catlog_001/_doc/_search",
"params":{
"body": {
"from": 0,
"size": 50,
"query": {
"match_all": {}
}
}
}
}
IAM's role on Appsync end
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpDelete",
"es:ESHttpHead",
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": [
"arn:aws:es:ap-southeast-2:*:domain/helloworld/*"
]
}
]
}
Trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Access policy at ES/OS end
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-2:*:domain/helloworld/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::*:role/service-role/appsync-ds-es-57leg5-vpc-helloworld-o53f5"
},
"Action": [
"es:ESHttpDelete",
"es:ESHttpHead",
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:ap-southeast-2:*:domain/helloworld/*"
}
]
}
thanks
Vasu
If you have ElasticSearch behind a VPC you'll see this error. Check this out
AWS AppSync supports using Amazon OpenSearch Service from domains that you have provisioned in your own AWS account, provided they don’t exist inside a VPC
https://docs.aws.amazon.com/appsync/latest/devguide/tutorial-elasticsearch-resolvers.html
This is an issue that has vexed me as well - the best solution I've managed is to create a lambda proxy behind the same VPC as elastic search; have the lambda accept your ES search string pass it along and return the results to your AppSync resolver - AppSync can use lambdas behind a VPC (but for some reason not OpenSearch)