Search code examples
pythonamazon-web-servicesaws-lambdaaws-elasticsearch

On AWS elastic search {"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}

I have created AWS elasticsearch domain

https://search-xx-xx.us-east-1.es.amazonaws.com/

On click both elastic url and kibana below is the error i got

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}

enter image description here

Below is code which is working fine

import boto3
from requests_aws4auth import AWS4Auth
from elasticsearch import Elasticsearch, RequestsHttpConnection
session = boto3.session.Session()
credentials = session.get_credentials()

awsauth = AWS4Auth(credentials.access_key,
                   credentials.secret_key,
                   session.region_name, 'es',
                   session_token=credentials.token)
es = Elasticsearch(
    ['https://search-testelastic-2276kyz2u4l3basec63onfq73a.us-east-1.es.amazonaws.com'],
    http_auth=awsauth,
    use_ssl=True,
    verify_certs=True,
    connection_class=RequestsHttpConnection
)


def lambda_handler(event, context):
    es.cluster.health()
    es.indices.create(index='my-index', ignore=400)
    r = [{'Name': 'Dr. Christopher DeSimone', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Tajwar Aamir (Aamir)', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Bernard M. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Eliana M. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Joseph J. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Michael R. Aaron', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Darryl H. Aarons', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. William B. Aarons', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Sirike T. Aasmaa', 'Specialised and Location': 'Health'},
 {'Name': 'Dr. Jacobo A. Abadi', 'Specialised and Location': 'Health'}]
    for e in enumerate(r):
         es.index(index="my-index", body=e[1])

Below is the access policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "*"
        }
      }
    }
  ]
}
Solution

  • This error would indicate your ElasticSearch service does not support anonymous requests (those not signed with valid IAM credentials).

    Although your policy sees ok the official allow all policy looks like the below

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:xxxxxx:domain/xxxxx/*"
    }
  ]
}