Received 403 from AWSAuth, invalidating credentials for retrial... /_bulk?timeout=1m; ; 403; 0.210s

Question

Received 403 from AWSAuth, invalidating credentials for retrial... /_bulk?timeout=1m; ; 403; 0.210s

Opened this issue 3 years ago · 3 comments

Could someone provide guidance... My AWS creds are good for the role tied to the instance. The domain is in the same VPC and allows this role access. I've not seen the last line in the below snippet in any of the other issues. Any help or direction is more than appreciated. Trying to populate the index from a Nutch instance.

./aws-es-proxy-1.3-linux-386 -listen 0.0.0.0:9200 -endpoint https://vpc-webmgmtelasticsearch-secure2-fjsfnpigonh5xnw2d72qq52yma.us-east-1.es.amazonaws.com -verbose
INFO[2021-30-11 19:51:04] Listening on 0.0.0.0:9200...
INFO[2021-30-11 19:51:49] Using default credentials
INFO[2021-30-11 19:51:49] Generated fresh AWS Credentials object
ERRO[2021-30-11 19:51:49] Received 403 from AWSAuth, invalidating credentials for retrial
2021/11/30 19:51:49 -> POST; 10.60.x.x:37502; /_bulk?timeout=1m; ; 403; 0.210s

Answer 1 · 2022-02-21T19:36:55.000Z

Any updates on this, I am encountering the same issue

Answer 2 · 2022-02-22T17:51:13.000Z

Getting the same error, got the following access policy applied on opensearch:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<>:role/aws-es-proxy"
},
"Action": "es:",
"Resource": "arn:aws:es:us-east-1:<>:domain/test-domain"
}
]
}

Tried this first with a role, which has completely open.
Getting same error with providing AWS keys.

Answer 3 · 2022-02-22T17:54:14.000Z

Actually, I was able to fix this now.
What needs to be done in addition to AWS Role/User configuration in AWS for the aws-es-proxy, is to add this role/user that is used with it to OpenSearch Roles as internal user/backend role with the ARN.