serverless-application-model icon indicating copy to clipboard operation
serverless-application-model copied to clipboard

Published 20 hours ago verified publisher icon aws

Message: 'User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action'

Open sgondkar-haptiq opened this issue 11 months ago • 2 comments

I get this error in logs when anonymous user is trying to access the elastic search. And sometimes it works with same policy and sometimes it start giving this error. And we have same setup running on stage and prod. But we facing issue on stage and on PROD is working totally fine without any issues. Recently there was an index update done from DEV team for some of indexes. We have added few public IP's which were requested to be added from client side.

2025-01-03T14:18:46.224Z aae4193b-f1cd-44da-b549-8a797653d6c9 INFO ~ error: StatusCodeError: Authorization Exception at respond (/var/task/node_modules/elasticsearch/src/lib/transport.js:349:15) at checkRespForFailure (/var/task/node_modules/elasticsearch/src/lib/transport.js:306:7) at HttpConnector. (/var/task/node_modules/elasticsearch/src/lib/connectors/http.js:173:7) at IncomingMessage.wrapper (/var/task/node_modules/lodash/lodash.js:4991:19) at IncomingMessage.emit (node:events:529:35) at endReadableNT (node:internal/streams/readable:1400:12) at process.processTicksAndRejections (node:internal/process/task_queues:82:21) { status: 403, displayName: 'AuthorizationException', path: '/stage/_doc', query: { type: 'requests' }, body: '{"course_id":null,"email":null,"from_date":null,"limit":null,"page":null,"to_date":null,"db_state_code":"MN","state_code":"MN","request_name":null,"request_date":1735913926195,"hits":42396,"resource":"/users","roles":null,"updated_since":null,"user_id":null,"certificates":null,"completion_code":null}', statusCode: 403, response: '{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"}', toString: [Function (anonymous)], toJSON: [Function (anonymous)]

Could anyone pls help if anyone have idea on this request.

sgondkar-haptiq avatar Jan 09 '25 14:01 sgondkar-haptiq

This is iam policy being used.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "es:", "Resource": "arn:aws:es:us-east-1:653428368606:domain/nfhssso-stage/", "Condition": { "IpAddress": { "aws:SourceIp": "" } } }, { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::653428368606:user/mms-stage-es", "arn:aws:iam::653428368606:user/sso.stage", "arn:aws:iam::653428368606:role/nfhslearn-api-service-stage-us-east-1-lambdaRole", "arn:aws:iam::653428368606:user/learn-stage-es" ] }, "Action": "es:", "Resource": "arn:aws:es:us-east-1:653428368606:domain/nfhssso-stage/" } ] }

sgondkar-haptiq avatar Jan 09 '25 14:01 sgondkar-haptiq

From these information it seems this issues is coming from IAM where the condition doesn't match, could it be possible that the IP specified here doesn't match the requester's IP addr? The other part of the policy looks good to me

"Condition": {
"IpAddress": {
"aws:SourceIp": ""
}
}
},

roger-zhangg avatar Jan 24 '25 20:01 roger-zhangg