AWS Elasticsearch generate api-key

Question

I've created an elasticsearch service in AWS using AWS CDK. Originally I thought of accessing it using IAM, but the way to do it in node is horrible, so I turned to auth through api-key.

If I follow the elasticsearch docs, I get the following error: AuthenticationException(401, '{"Message":"Your request: \'/_security/api_key\' is not allowed."}')

I assume this is due to my default user not having the right permissions to access the _security API, but then how can I create said api-key?

Answer 1

From comments:

Security API is part of x-pack which is not support yet by AWS Elasticserach service. if we need to use it with in AWS, using it as SAAS from AWS MarketPlace is an option. However, there are other options to secure AWS Elasticsearch:

• Using cognito to secure elastic, gives fine grained controls for users with identity pools and iam roles. Here are some details.
• IP based Resource polices. As long as clients are within network AWS/non-AWS, "*" principal with conditions restrict to cidr range. Anyone can access, no fine grained access for users within same ip cidr range.
• IAM Authentication: Gives fine grained control, needs AWS credentials via role(could be separate cognito too) or user cred, to sign the http requests with v4 signature. if we manually sign the http request, we can use aws4-sign, We just need to pass, service, region and body to aws4.sign method options in addition to nodejs http request options. Similar to example here with service as es. Couple of libraries which wraps this signing for elastic are aws-es-connection and http-aws-es