How can I delegate OpenSearch Service access across AWS accounts using IAM roles?

3 minute read
1

I want to share the Amazon OpenSearch Service resources in my AWS account with users in a different account.

Short description

Complete the following steps to allow users to use an AWS Identity and Access Management (IAM ) role to access your domain resources:

  1. Create a role in Account A that's allowed to access the target domain.
  2. Create a user under Account B that's allowed to assume a role in Account A.
  3. Grant access to users in Account B to switch roles to access the target domain.

Note: Account A is the account where the target domain resides. Account B is the account where users access the central logging station from.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Create a role and grant permissions to manage your domain

Create an IAM role, and grant permissions to allow users to manage your domain.

In this example, a role named CrossAccount-test is created and grants full permissions to manage the domain test.

{
     "Version": "2012-10-17",
     "Statement": [{
          "Effect": "Allow",
          "Action": [
               "es:*"
          ],
          "Resource": "arn:aws:es:<Region>:<Account A-ID>:domain/test/*"
     }]
}

Edit the trust relationship of the role

Edit the trust relationship of the role. In this example it's CrossAccount-test.

Note: Replace Account B-ID and User Name with the ID for account B and your user name.

{
     "Version": "2012-10-17",
     "Statement": [{
          "Effect": "Allow",
          "Principal": {
               "Service": "es.amazonaws.com",
               "AWS": ["arn:aws:iam::<Account B-ID>:root", "arn:aws:iam::<Account B-ID>:user/<User Name>"]
          },
          "Action": "sts:AssumeRole"
     }]
}

Grant access to users in Account B

In Account B, create a user or group with the following permissions:

Note: Replace Account A-ID with the ID for Account A.

{
     "Version": "2012-10-17",
     "Statement": {
          "Effect": "Allow",
          "Action": "sts:AssumeRole",
          "Resource": "arn:aws:iam::<Account A-ID>:role/<CrossAccount-test>"
     }
}

Adding this policy statement allows the AssumeRole API action on the CrossAccount-test role in Account A.

Edit the OpenSearch Service access policy to allow the role to access the domain

Allow this role to access your domain.

Edit the OpenSearch Service access policy and enter the following information:

{
     "Version": "2012-10-17",
     "Statement": [{
          "Effect": "Allow",
          "Principal": {
               "AWS": [
                    "arn:aws:iam::<Account A-ID>:role/<CrossAccount-test>"
               ]
          },
          "Action": "es:*",
          "Resource": "arn:aws:es:<region>:<Account A-ID>:domain/<Domain Name>/*"
     }]
}

Switch roles to test access

Switch roles to test the access:

  1. Copy the CrossAccount-test ARN to your clipboard.
  2. Use the AWS Management Console to log in to Account B.
  3. From the User tab, chose Switch Role in the dropdown list.
  4. On the Switch Role page, enter the account ID for Account A and the role name. In this example, the role name is CrossAccount-test.
  5. Choose Switch Role.

Note: If Account B works in the Account A environment at the command line, then you can use the AWS CLI to switch roles. For more information, see Switch roles (AWS CLI).

Related information

Cross-account policy evaluation logic

Identity and access management in Amazon OpenSearch Service

AWS OFFICIAL
AWS OFFICIALUpdated a year ago