Open adrianluisgonzalez opened 8 months ago
I found the issue. AOSS needs the header X-Amz-Content-Sha256
You can see the following in opensearch-go
:
contentSha256Hash := emptyBodySHA256
if req.Body != nil {
b, err := io.ReadAll(req.Body)
if err != nil {
return fmt.Errorf("failed to read request body: %w", err)
}
body = bytes.NewReader(b)
hash, err := hexEncodedSha256(b)
if err != nil {
return fmt.Errorf("failed to calculate hash of request body: %w", err)
}
contentSha256Hash = hash
}
// Add the "X-Amz-Content-Sha256" header as required by Amazon OpenSearch Serverless.
req.Header.Set("X-Amz-Content-Sha256", contentSha256Hash)
https://github.com/opensearch-project/opensearch-go/blob/main/signer/aws/aws.go#L95
Thanks for this helpful tool. I have used it with Amazon OpenSearch clusters for a while now. I am trying to move to OpenSearch Serverless, but having issues with
aws-es-proxy
when there is a payload to be signed.When I send request without a payload, everything works fine. For example
curl localhost:9200/_cat/indices
orcurl -X POST localhost:9200/my-index/_search
.As soon as I send any request with a payload, I get a 403 with response header
X-Aoss-Response-Hint: X01:gw-helper-deny
Here are the logs using
v1.5
:The serverless data access policy has full access for my IAM credentials and the fact the search without a payload succeeds makes me think this is not permissions related. I don't see anything in CloudTrail.
Has anyone used this successfully with AOSS? Any suggestions would be greatly appreciated.