Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

InvalidTypeException when attempting to set access policies through update_elasticsearch_domain_config

See original GitHub issue

Anytime i try to update the access policies through update_elasticsearch_domain_config, i get the following error:

botocore.exceptions.ClientError: An error occurred (InvalidTypeException) when calling the UpdateElasticsearchDomainConfig operation: Error setting policy: [{"Sid":"fsasaafffff","Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:*","Resource":"arn:aws:es:us-west-2:XXXXXXXXX:domain/int-XXXXXX-XXXXX/*"}]}}]

It isn’t the policy that seems to be the error, since i can set the exact same policy through awscli or the ui. Which leads me to believe i am passing it incorrectly somehow. I have tried every combination of storing it as a file, minified, unminifed, passing it in directly as a raw string, doing a json.dumps on it first, etc.

Issue Analytics

State:
Created 8 years ago
Comments:20 (3 by maintainers)

Top GitHub Comments

7reactions

digitalsanctumcommented, Jul 2, 2018

For posterity I also had a similar issue and turned out I was referring to an IAM role that didn’t exist in the policy.

Not obvious at all from the “InvalidTypeException” exception message 😦

3reactions

quivercommented, Feb 27, 2016

I can successfully execute update_elasticsearch_domain_config API from boto3 and CLI as follows.

boto3

version : Boto3/1.2.5 Python/2.7.10 Darwin/15.3.0 Botocore/1.3.30

One thing to note is that you have to pass policy as strings not as JSON(dict).

import json
import boto3

#boto3.set_stream_logger(name='botocore') # for debugging
client = boto3.client('es')
access_policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-northeast-1:123456789012:domain/foo/*"
    }
  ]
}

client.update_elasticsearch_domain_config(
  DomainName='foo',
  AccessPolicies=json.dumps(access_policy)
)

AWS CLI

$ aws --version
aws-cli/1.10.8 Python/2.7.10 Darwin/15.3.0 botocore/1.3.30
$ cat access.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-northeast-1:123456789012:domain/foo/*"
    }
  ]
}

$ aws es update-elasticsearch-domain-config --domain-name foo --access-policies file://access.json
...  UPDATED POLICIES WILL BE RETURNED

Top Results From Across the Web

InvalidTypeException when attempting to set access ...

Anytime i try to update the access policies through update_elasticsearch_domain_config, i get the following error: botocore.exceptions.

ElasticsearchService

Use the Amazon Elasticsearch Configuration API to create, configure, ... An exception for trying to create or access sub-resource that is either invalid ......

Proper access policy for Amazon Elastic Search Cluster

I was able to get both IAM access IP-restricted access with the following Access Policy. Note the order is important: I could not...

update-elasticsearch-domain-config

Modifies the advanced option to allow references to indices in an HTTP request body. Must be false when configuring access to individual sub-resources....

Package elasticsearchservice

The service's client also provides methods to make API requests with a Context ... An exception for trying to create or access sub-resource...