I'm trying to allow beanstalk applications to access our elasticsearch service, but every method I find in your documentation fails to grant access to these apps. So far the only methods that worked for me in enabling access was to open the cluster to the entire world, and enabling specific IPs (which is clearly not an option, given the dynamic nature of Elastic beanstalk). What I have tried - Creating a policy from the "Allow or deny access to one or more accounts..." to the root of our AWS account. Creating a policy from the "Allow or deny access to one or more accounts..." to the IAM role assigned to beanstalk EC2 servers Attaching a policy to the beanstalk IAM role, allowing him ES:* privileges on the elasticsearch domain.
Why are all of these methods failing? The documentation seems to indicate each of those methods should work, so what am I missing here?
The solution turns out to be sending signed requests as an authorised AWS user. More infor in the following links -
https://docs.aws.amazon.com/aws-sdk-php/v3/guide/service/es-data-plane.html
http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html
http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html