search

phillbaker / terraform-provider-elasticsearch

An elasticsearch provider for terraform
https://registry.terraform.io/providers/phillbaker/elasticsearch
Mozilla Public License 2.0
303 stars 133 forks source link

Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster #318

Open diogosilvaiupp opened 1 year ago

diogosilvaiupp commented 1 year ago

Dear, I'm getting the following error

Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster

terraform {
   required_providers {
     elasticsearch = {
       source = "phillbaker/elasticsearch"
       version = "2.0.5"
     }
   }
}

provider "elasticsearch" {
   username = "<myuser>"
   password = "<mypass>"
   url = "<my_url_vpc> and/or <my_custom_url>"
   healthcheck = false
   aws_region = "us-east-1"
}

There was a test with the master user and with another user created, both have the same error.

Could you please help me? Thanks

sujata2015 commented 1 year ago

Hi, I also have the same issue when trying to create the backend mapping 

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.33.0"
    }
    grafana = {
      source  = "grafana/grafana"
      version = ">= 1.13.3"
    }

    elasticsearch = {
      source = "phillbaker/elasticsearch"
      version = "2.0.5"
    `}
    `provider "elasticsearch" {
  url         = join("", ["https://",aws_elasticsearch_domain.es.endpoint])
  healthcheck = false
  username =        "var.user"
  password = "data.aws_ssm_parameter.opensearch_master_user_password.value"

}

# Create a role mapping
resource "elasticsearch_opensearch_roles_mapping" "mapper" {
  role_name     = "lambda_access"
  users = ["admin"]
  description   = "Mapping AWS IAM roles to ES role"
  backend_roles = [
    aws_iam_role.lambda_dashboard_exec.arn

  ]
}

and the error I am getting is HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

phillbaker commented 1 year ago

Hello, what steps have you taken so far to debug the issue? The error message is descriptive in this case: the provider does not have permission to access the cluster. You can also search this repository for similar issues in the past: https://github.com/phillbaker/terraform-provider-elasticsearch/issues?q=is%3Aissue+403

Please include the following information:

Note: Issues on this repository are for reporting bugs and feature requests for this provider, not providing support for unique environments. In order to investigate this, a reproducible case should be provided, if that can't be provided, we'll have to close this issue to focus on widely impacting issues.

sujata2015 commented 1 year ago

Hello, I am running the provider when executing Terraform init and apply from my local machine. It is configured to use AWS Cli and respective AWS profile. ElasticSearch Cluster is located in the same AWS ACCOUNT. I am able to execute curl command using the same credentials from the same CLI. Best Regards, Sujata

jlyon12345 commented 1 year ago

Hi @phillbaker I think I am running into this issue as well (or something similar). As far as I can tell what is happening is the provider detects AWS from the url even if you specify a username and password, then tries to authenticate with AWS. This creates some confusion where the provider attempts to use AWS credentials even though they may not be configured properly for that specific opensearch/elasticsearch instance. Could we add a setting to select auth method? The offending line is here: https://github.com/phillbaker/terraform-provider-elasticsearch/blob/master/es/provider.go#L323 I can create a PR if you think this is the appropriate solution, thanks.

higuita commented 1 year ago

I use this to connect to AWS, notice the sign_aws_requests = false , that looks like is required in AWS when using plain username/password

after this, all started to work

provider "elasticsearch" {
  url           = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com:443/"
  kibana_url    = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com/_dashboards"
  sign_aws_requests = false
  username      = "admin"
  password      = data.pass_password.admin_pass.password
  healthcheck  = false
   sniff        = false
}
phillbaker commented 1 year ago

@jlyon12345 sorry for the slow response, but a PR would be great!

On Wed, Jan 4, 2023 at 9:58 PM higuita @.***> wrote:

I use this to connect to AWS, notice the sign_aws_requests = false , that looks like is required in AWS when using plain username/password

after this, all started to work

provider "elasticsearch" { url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com:443/" kibana_url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com/_dashboards" sign_aws_requests = false username = "admin" password = data.pass_password.admin_pass.password healthcheck = false sniff = false }

— Reply to this email directly, view it on GitHub https://github.com/phillbaker/terraform-provider-elasticsearch/issues/318#issuecomment-1371722505, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAXCKOU5IQAADJBA7SPUTLWQY2FZANCNFSM6AAAAAAQ5V5HTU . You are receiving this because you were mentioned.Message ID: @.*** com>

rishabhToshniwal commented 1 year ago

Facing similar issue when Fine Grain Access Control is enabled for opensearch domain. I tried curl from the same machine and it worked. 

curl -k https://vpc-xxx-xxxx.eu-west-1.es.amazonaws.com -u "username:password"

Below is the configuration which I have

provider "elasticsearch" {
  url = "https://vpc-xxx-xxxx.eu-west-1.es.amazonaws.com"
  #sign_aws_requests = false
  aws_region =  var.aws_region
  healthcheck         =  false
  sniff        = false
  username =   username
  password =   password
}

The error I am getting

Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.
vrecan commented 10 months ago

@rishabhToshniwal were you able to resolve your issue? I am seeing the same problem. I can curl it manually just fine but I get 403 through the terraform module.

higuita commented 8 months ago

@rishabhToshniwal were you able to resolve your issue? I am seeing the same problem. I can curl it manually just fine but I get 403 through the terraform module.

again, read my comment: https://github.com/phillbaker/terraform-provider-elasticsearch/issues/318#issuecomment-1371722505

This works fine for me:

provider "elasticsearch" {
  url                = "https://logs-staging-r...amazonaws.com:443/"
  kibana_url         = "https://logs-staging-r....es.amazonaws.com/_dashboards"
  # SAML and basic user, we do not need aws auth
  # aws_region       = var.aws_region
  # aws_profile      = "staging"
  sign_aws_requests  = false
  username           = "admin"
  password           = data.pass_password.admin_pass.password
   healthcheck       = false
   sniff             = false
}