aws-cdk icon indicating copy to clipboard operation
aws-cdk copied to clipboard

Published 20 hours ago verified publisher icon aws

aws_opensearchservice: Grant permissions using access policy for principals that cannot have policies attached

Open pergardebrink opened this issue 1 year ago • 2 comments

Describe the feature

We would like to be able to grant access to principals that cannot have policies attached by using the accesspolicies on OpenSearch

The current OpenSearch grantXYZ methods only works for adding permissions to a principal and not to add permissions to the access policy.

Use Case

We want to grant cross-account access to OpenSearch and want to use the Role.FromRoleArn in our stack and then use grantIndexWrite method to grant those principals access.

Proposed Solution

Use the access policy (resource policy) if the principal does not allow adding permissions (like an imported role or AccountPrincipal or similar)

Other Information

We can manually craft the access policy using the addAccessPolicies , but it's much more convenient and easier to understand if we can use the grantXYX methods.

More about OpenSearch Domain Access Policies (Resource Policies): https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource

Acknowledgements

  • [X] I may be able to implement this feature request
  • [X] This feature might incur a breaking change

CDK version used

2.129.0

Environment details (OS name and version, etc.)

Windows 11

pergardebrink avatar Feb 22 '24 08:02 pergardebrink

Thanks for the feature request, this could probably use more discussion and input from the team. There was an issue involving fine-grained access control in OpenSearch, with the team's response here: https://github.com/aws/aws-cdk/issues/21193#issuecomment-1190478648.

tim-finnigan avatar Feb 22 '24 19:02 tim-finnigan

Thanks @tim-finnigan! I don't think fine grained permissions, like discussed in that issue, would be the same as I suggest here as fine grained permissions exists on top of access policies (to some degree discussed how they relate to each other here: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-access-policies) and here: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource

But I'm not an expert on OpenSearch and might miss something that would make this to rather be an L3 or L2.5 mentioned in that issue.

pergardebrink avatar Feb 22 '24 19:02 pergardebrink