search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.08k stars 4.89k forks source link

Metricbeat is unable to connect to AWS OpenSearch service. ERROR 401 Unauthorized #38118

Open nagachinni opened 5 months ago

nagachinni commented 5 months ago

Metricbeat running on EC2 is failing with error: unable to connect to AWS OpenSearch service. ERROR 401 Unauthorized My openSearch domain enabled fine-grain access control(FGAC) with IAM role as master user. I have the access policy attached to EC2 IAM role already and mapped the opensearch role "all_access" so it should reach the domain endpoint. However, this is not working.

To Reproduce Create AWS OpenSearch domain and enable FGAC. Create an EC2 instance and attach the IAM policy to allow access to opensearch domain created above.

"Effect": "Allow",
"Action": [
    "es:*"
 ],
 "Resource": [
     "<domainarn>"
]

Update opensearch domain access policy as below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "es:*"
      ],
      "Resource": "<domain_arn>"
    }
  ]
}

Install metricbeat-oss7.12.1 on EC2 instance and configure to push metrics to opensearch domain endpoint. You'll receive error as stated above when running metricbeat.

Expected behavior Metricbeat should be able to push metrics to opensearch endpoint.

Additional Details Host/Environment (please complete the following information):

OS: Windows

botelastic[bot] commented 5 months ago

This issue doesn't have a Team:<team> label.

nagachinni commented 5 months ago

Does metricbeat support AWS Sigv4 authentication? If so can someone please help how to enable this in the config?

nagachinni commented 4 months ago

Hello Guys, if someone could help me with this would be great.!!

g-bohncke commented 4 months ago

https://github.com/awslabs/aws-sigv4-proxy

A Temp way around the issue