Open diogosilvaiupp opened 1 year ago
Hi, I also have the same issue when trying to create the backend mapping
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.33.0"
}
grafana = {
source = "grafana/grafana"
version = ">= 1.13.3"
}
elasticsearch = {
source = "phillbaker/elasticsearch"
version = "2.0.5"
`}
`provider "elasticsearch" {
url = join("", ["https://",aws_elasticsearch_domain.es.endpoint])
healthcheck = false
username = "var.user"
password = "data.aws_ssm_parameter.opensearch_master_user_password.value"
}
# Create a role mapping
resource "elasticsearch_opensearch_roles_mapping" "mapper" {
role_name = "lambda_access"
users = ["admin"]
description = "Mapping AWS IAM roles to ES role"
backend_roles = [
aws_iam_role.lambda_dashboard_exec.arn
]
}
and the error I am getting is HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.
Hello, what steps have you taken so far to debug the issue? The error message is descriptive in this case: the provider does not have permission to access the cluster. You can also search this repository for similar issues in the past: https://github.com/phillbaker/terraform-provider-elasticsearch/issues?q=is%3Aissue+403
Please include the following information:
Note: Issues on this repository are for reporting bugs and feature requests for this provider, not providing support for unique environments. In order to investigate this, a reproducible case should be provided, if that can't be provided, we'll have to close this issue to focus on widely impacting issues.
Hello, I am running the provider when executing Terraform init and apply from my local machine. It is configured to use AWS Cli and respective AWS profile. ElasticSearch Cluster is located in the same AWS ACCOUNT. I am able to execute curl command using the same credentials from the same CLI. Best Regards, Sujata
Hi @phillbaker I think I am running into this issue as well (or something similar). As far as I can tell what is happening is the provider detects AWS from the url even if you specify a username and password, then tries to authenticate with AWS. This creates some confusion where the provider attempts to use AWS credentials even though they may not be configured properly for that specific opensearch/elasticsearch instance. Could we add a setting to select auth method? The offending line is here: https://github.com/phillbaker/terraform-provider-elasticsearch/blob/master/es/provider.go#L323 I can create a PR if you think this is the appropriate solution, thanks.
I use this to connect to AWS, notice the sign_aws_requests = false
, that looks like is required in AWS when using plain username/password
after this, all started to work
provider "elasticsearch" {
url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com:443/"
kibana_url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com/_dashboards"
sign_aws_requests = false
username = "admin"
password = data.pass_password.admin_pass.password
healthcheck = false
sniff = false
}
@jlyon12345 sorry for the slow response, but a PR would be great!
On Wed, Jan 4, 2023 at 9:58 PM higuita @.***> wrote:
I use this to connect to AWS, notice the sign_aws_requests = false , that looks like is required in AWS when using plain username/password
after this, all started to work
provider "elasticsearch" { url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com:443/" kibana_url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com/_dashboards" sign_aws_requests = false username = "admin" password = data.pass_password.admin_pass.password healthcheck = false sniff = false }
— Reply to this email directly, view it on GitHub https://github.com/phillbaker/terraform-provider-elasticsearch/issues/318#issuecomment-1371722505, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAXCKOU5IQAADJBA7SPUTLWQY2FZANCNFSM6AAAAAAQ5V5HTU . You are receiving this because you were mentioned.Message ID: @.*** com>
Facing similar issue when Fine Grain Access Control is enabled for opensearch domain. I tried curl from the same machine and it worked.
curl -k https://vpc-xxx-xxxx.eu-west-1.es.amazonaws.com -u "username:password"
Below is the configuration which I have
provider "elasticsearch" {
url = "https://vpc-xxx-xxxx.eu-west-1.es.amazonaws.com"
#sign_aws_requests = false
aws_region = var.aws_region
healthcheck = false
sniff = false
username = username
password = password
}
The error I am getting
Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.
@rishabhToshniwal were you able to resolve your issue? I am seeing the same problem. I can curl it manually just fine but I get 403 through the terraform module.
@rishabhToshniwal were you able to resolve your issue? I am seeing the same problem. I can curl it manually just fine but I get 403 through the terraform module.
again, read my comment: https://github.com/phillbaker/terraform-provider-elasticsearch/issues/318#issuecomment-1371722505
This works fine for me:
provider "elasticsearch" {
url = "https://logs-staging-r...amazonaws.com:443/"
kibana_url = "https://logs-staging-r....es.amazonaws.com/_dashboards"
# SAML and basic user, we do not need aws auth
# aws_region = var.aws_region
# aws_profile = "staging"
sign_aws_requests = false
username = "admin"
password = data.pass_password.admin_pass.password
healthcheck = false
sniff = false
}
Dear, I'm getting the following error
Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster
There was a test with the master user and with another user created, both have the same error.
Could you please help me? Thanks