While going through IAM policy for AWS elasticsearch with terraform, i can see the options to add principals as role arns :
data "aws_iam_policy_document" "default" {
count = ( length(var.iam_role_arns) > 0) ? 1 : 0
//for resources within
statement {
effect = "Allow"
actions = distinct(compact(var.iam_actions))
resources = [
join("", aws_elasticsearch_domain.default.*.arn),
"${join("", aws_elasticsearch_domain.default.*.arn)}/*"
]
principals {
type = "AWS"
identifiers = distinct(compact(concat(var.iam_role_arns)))
}
}
}
while trying to access aws es from kibana dashboard i have to specify the condtional IPs to get access to the es domain. what should be the use case where these var.iam_role_arns are getting used?
Thanks
You would use iam_role_arns to access your ES using signed https queries by your IAM user/role credentials. By default, ES nor AWS provide an option to create such queries, but they are third party tools for that, such as popular aws-requests-auth library for python.
The library also has an example specific to ES.
This can be very useful if you want to interact with your ES through a lambda function or an EC2 instance. In these cases, your iam_role_arns would refer to lambda execution and instance roles respectively. In this scenario, you could use aws-requests-auth to construct signed queries to your ES domain.