I have an AWS ElasticSearch Cluster in account "A".
I'm trying to create a lambda (triggered via API) in account "B" that will fetch data from ES in account "A".
I'm getting the following error:
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"
My Access policy in ES Security Configuration:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List of IP Addresses
]
}
}
}
]
}
I modified the access policy with the following but still facing the same issue:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List Of Ip Addresses
]
}
}
}
]
}
Scratched my head a lot for this. Basically what is happening is that resource based policy only allows access to requests from same account. If it is a cross account access, we also need identity based policy from the originating account. Take this for example
es:ESHttp* permissionses:ESHttp* permission to the role in lambda B.This is because for same account access resource based policy is enough, but for cross-account access we also need a identity policy on the requesting service (lambda)
Here's the relevant documentation regarding this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html