Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-elasticsearch] Elastic search domain resource lacks permissions.

See original GitHub issue

Elastic search domain resource lacks permissions.

Failed to create resource. Error in Accessing KmsKeyID with details:User: arn:aws:sts::<ID>:assumed-role/Testing-Mi-Main-Stack-<ID>-<ID>/Testing-Mi-Main-Stack-<ID>-<ID> is not authorized to perform: kms:DescribeKey on resource: arn:aws:kms:eu-central-1:<ID>:key/<ID> (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: <ID>; Proxy: null)

Reproduction Steps

Create elastic search Domain. (from aws_cdk.aws_elasticsearch import Domain).

What did you expect to happen?

Domain created.

What actually happened?

CloudFormation error complaining about permissions:

Environment

CDK CLI Version : 1.72.0
Framework Version: 1.72.0
Node.js Version: v15.1.0 -->
OS : MacOS
Language (Version): Python3.9

Other

The bug seems to be new. Did not experience in previous versions.

This is 🐛 Bug Report

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:34 (24 by maintainers)

Top GitHub Comments

3reactions

iliapolocommented, Nov 23, 2020

It seems that in some, still unknown, conditions, the es:updateElasticsearchDomainConfig invoked by the ElasticsearchAccessPolicy requires the kms:DescribeKey permission on the key.

I’m reluctant to add this by default while its still unclear, but to get around this issue you can add the necessary permissions like so:

import * as cr from '@aws-cdk/custom-resources';

const key = new kms.Key(...);
const domain = new elastic.Domain(...);
const policyHandler = domain.node.tryFindChild('ESAccessPolicy') as cr.AwsCustomResource;

policyHandler.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({
  actions: ['kms:DescribeKey'],
  resources: [key.keyArn],
  effect: iam.Effect.ALLOW,
}))

@Ruben-E this still doesn’t explain why the same problem is happening in your case where only the L1 is being used.

2reactions

iliapolocommented, Nov 25, 2020

@Ruben-E @ignaloidas @laimonassutkus managed to reproduce, thanks for all the cooperation 😃

Top Results From Across the Web

Identity and Access Management in Amazon OpenSearch ...

You add a resource-based policy, often called the domain access policy, ... Even though the user lacks POST permissions on the index, the...

How to Control Access to Your Amazon Elasticsearch Service ...

A resource-based policy is attached to the Amazon ES domain (accessible through the domain's console) and enables you to specify which AWS ......

AWS::Elasticsearch::Domain ElasticsearchClusterConfig

The cluster configuration for the OpenSearch Service domain. You can specify options such as the instance type and the number of instances.

Troubleshooting Amazon OpenSearch Service

This topic describes how to identify and solve common Amazon OpenSearch Service issues. Consult the information in this section before contacting AWS ......

Actions, resources, and condition keys for Amazon Elastic ...

If you specify a resource-level permission ARN in a statement using this ... EI has no service-specific context keys that can be used...