Search code examples
amazon-web-serviceselasticsearchaws-lambdaaws-elasticsearch

Unable to connect AWS Lambda to Elastic Search. Getting a 403 error

I am trying to load streaming Data into Amazon ES from Amazon Kinesis Data Streams as given in the tutorial: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-aws-integrations.html#es-aws-integrations-kinesis

As given in the tutorial, my lambda function is:

import base64
import boto3
import json
import requests
from requests_aws4auth import AWS4Auth

region = 'us-east-1'
service = 'es'
credentials = boto3.Session().get_credentials()
awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token)

host = '' # the ES domain has been specified here
index = 'lambda-kine-index'
type = 'lambda-kine-type'
url = host + '/' + index + '/' + type + '/'

headers = { "Content-Type": "application/json" }

def handler(event, context):
    count = 0
    for record in event['Records']:
        id = record['eventID']
        timestamp = record['kinesis']['approximateArrivalTimestamp']
        
        # Kinesis data is base64-encoded, so decode here
        message = base64.b64decode(record['kinesis']['data'])
        
        # Create the JSON document
        document = { "id": id, "timestamp": timestamp, "message": message }
        # Index the document
        r = requests.put(url + id, auth=awsauth, json=document, headers=headers)
        count += 1
    return 'Processed ' + str(count) + ' items.'

Also, as given in the tutorial, the IAM Role is:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "es:ESHttpPost",
        "es:ESHttpPut",
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "kinesis:GetShardIterator",
        "kinesis:GetRecords",
        "kinesis:DescribeStream",
        "kinesis:ListStreams"
      ],
      "Resource": "*"
    }
  ]
}

and the Trust Relationship is:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

After doing this, the response I get when I run the lambda is:

<Response [403]>

Any help in resolving this is appreciated.

Solution

  • Credentials would only be applicable if you use an IAM user which isn't the case here as this is a Lambda function and it requires an IAM role.

    What you might have is fine-grained access control enabled which doesn't work well with domain policies.

    Read more here and notice the highlighted section re-user / IAM mixing and not working correctly.