Closed jdotw closed 1 year ago
I tried a work-around of setting the master username and password using the cli... but it still failed
ES_MASTER_SECRET_ARN=$(aws secretsmanager list-secrets --query "SecretList[?starts_with(Name, 'DomainMasterUser')].ARN" --output text)
echo "ES_MASTER_SECRET_ARN: ${ES_MASTER_SECRET_ARN}"
ES_MASTER_USERNAME=$(aws secretsmanager get-secret-value --secret-id ${ES_MASTER_SECRET_ARN} | jq --raw-output '.SecretString' | jq -r .username)
echo "ES_MASTER_USERNAME: ${ES_MASTER_USERNAME}"
ES_MASTER_PASSWORD=$(aws secretsmanager get-secret-value --secret-id ${ES_MASTER_SECRET_ARN} | jq --raw-output '.SecretString' | jq -r .password)
if [[ -z $ES_MASTER_PASSWORD ]]; then
echo "ES Master password was not found"
exit 1
fi
echo "ES_MASTER_PASSWORD: ${ES_MASTER_PASSWORD}"
ES_MASTER_USER_RESULT=$(aws opensearch update-domain-config --domain-name ${ES_DOMAIN_NAME} --advanced-security-options "{ \"MasterUserOptions\": { \"MasterUserName\": \"${ES_MASTER_USERNAME}\", \"MasterUserPassword\": \"${ES_MASTER_PASSWORD}\" } }")
echo "ES_MASTER_USER_RESULT: ${ES_MASTER_USER_RESULT}"
I seem to have the master user and domain set up correctly when I deploy a similar opensearch domain. I don't have any experience with opensearch dashboards and I'm not sure if we considered that use case when this module was created. This is going to require some work to determine how CDK opensearch domains interact with opensearch dashboards and then determine if there is a need for a fix.
I'm determining this to be a use case that might not be unlocked, and hopefully we can determine how common this is with +1s on the issue. I'm marking as p2
for now.
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.
What is the problem?
The master user isn't actually created when a username is specified and/or if a password is specified.
Reproduction Steps
Create a domain like this:
The same issue happens even if you specify a master password secret.
What did you expect to happen?
The credentials in the automatically-created secret should work when trying to use the dashboard and/or for REST clients attempting to use the domain.
What actually happened?
The secret is created, a username and password is present, but the domain does not have that master username or password configured. Attempting to access the dashboard throws a "anonymous access not allowed" error and REST clients can not connect using the username and password in the secret.
Workaround: Go to the domain in the AWS Console, add a new master user (using the same username and password from the secret) and then the dashboard works as expected, and REST clients can connect to the domain.
CDK CLI Version
2.5.0 (build 0951122)
Framework Version
No response
Node.js Version
v16.13.1
OS
macOS 12.1
Language
Typescript
Language Version
No response
Other information
No response