Securely Connect to AWS Elasticsearch from Nextjs Serverless Functions
I am trying to securely connect to my ES service from the serverless functions in Nextjs. The serverless functions have no fixed IP address or IP address range so I can't secure it that way. I have tried creating an IAM User and using the access key ID and secret access key to create the basic authorization header like this.
const auth = btoa(`${accessKey}:${accessSecret}`);
Then I used that as the Authorization header like this.
`Authorization: Basic ${auth}`
The request comes back with the following error.
{
"message": "Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=Basic XXXXXXXXXXXXXXXXXXXXXXXXXX"
}
I have given the IAM user permission through the access policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:user/elasticsearch"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-2:XXXXXXXX:domain/team-up/*"
}
]
}
Is this the right way to secure the connection to the database? I have tried setting up a password on the database using the POST /_security/user/_password endpoint, but that fails too.
Amazon claims that basic authorization is supported.
https://aws.amazon.com/elasticsearch-service/faqs/
I didn't create a master user during the wizard setup of the aws elasticsearch domain. Once the domain is created there is no way to create a master user it seems. I deleted the elasticseach domain and recreated it with a master user.
I followed this guide. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html#fgac-walkthrough-basic
- Cloudfront redirect when signed cookies not present
- AWS Lambda and DynamoDB - updatetItem is not a function
- AWS ElasticBeanstalk EC2 Termination Protection
- Install pgAgent on AWS RDS for Postgres
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- List all parameters in AWS SSM Parameter Store
- AWS push_down_predicate not working with DynamoDb
- localstack AWS S3 javascript error : getaddrinfo ENOTFOUND bucketname.localhost
- AWS ECS agent won't start
- AWS VPC (Virtual Private Cloud), rapidly increasing expenses
- SemaphoreCI OIDC AWS connection
- Can't delete AWS internet Gateway
- How to provide multiple StringNotEquals conditions in AWS policy?
- Not able to get ECS fargate metrics on Datadog
- 502 "Internal Server Error" with API Gateway + Lambda when deploying
- Java Springboot application not able to connect to AWS Elasticache Valkey Cache (Serverless)
- Splitting PDF with PyPDF2 in Lambda function
- "libdbus-glib-1.so.2: cannot open shared object file: No such file or directory"
- Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY
- Best way to store Firebase admin private key file for AWS lambda
- AWS Elastic Beanstalk and Secret Manager
- Unable to upload data using sagemaker_session.upload_data in s3 bucket that I created, it is getting stored in default s3 bucket
- Parse Aws IoT message in python
- How to temporarily switch profiles for AWS CLI?
- Python Sqlalchemy insert data into AWS Redshift
- Using AWS Bedrock Prompt Management with InvokeCommand
- How to skip IAM change confirmation during a cdk deploy?
- Restarting AWS lambda function to clear cache
- How to send data to API Post to be used by Lambda Function
- Why is postman showing error message but react app not showing it?