search

phillbaker / terraform-provider-elasticsearch

An elasticsearch provider for terraform
https://registry.terraform.io/providers/phillbaker/elasticsearch
Mozilla Public License 2.0
303 stars 133 forks source link

Unable to use identity provider credentials to log in #331

Closed juanma-cvega closed 1 year ago

juanma-cvega commented 1 year ago

Hi,

I'm currently just creating an OpenSearch cluster (v1.3) on AWS using the AWS provider. The cluster is configured to use Cognito as identity provider and I use the domain access policy to grant access to users to the dashboard and the API (through the dashboard). So far, I've configured it without any fine grain access control and it works without issues. Now, I'm trying to use your provider to create an index state management policy. I've liked to do it using a Cognito user credentials but I always get a 403 error. The steps I've taken so far:

  1. Configured fine grain access control to use the Cognito role.
  2. Created a user in Cognito to use its username/password.
  3. Added the role to the domain access policy (I've tried disabling completely the domain access policy in favor of the fine grained access control but once I accept changes in the console, it goes back to use the domain access policy)
  4. Connected to the OpenSearch dashboard to verify the role is correctly mapped to the all_access role.
  5. Used the username/password credentials in the provider configuration.

I've tried creating both an IAM user and an internal database user and both work fine once the domain access policy is adapted. But I would like to avoid having to use an extra user just for Terraform. Am I missing something? Maybe this cannot be done through an identity provider user.

This is the configuration I use for the provider:

provider elasticsearch {
  url = "https://search-test-elasticsearch-uuidhere.us-east-1.es.amazonaws.com/"
  kibana_url = "https://search-test-elasticsearch-uuidhere.us-east-1.es.amazonaws.com/_dashboards"
  healthcheck = false 
  sniff = false
  username = "test"
  password = "anypassword"
  sign_aws_requests = false
}
phillbaker commented 1 year ago

Hello please see https://github.com/phillbaker/terraform-provider-elasticsearch/issues/217, cognito is not a valid way to authenticate to the underlying Elasticsearch/Opensearch cluster, you need to use IAM credentials. That's a limitation of AWS, not this provide, so I'm going to close this issue.