You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
What is the outcome that you are trying to reach?
The blueprint currently has fine-grained access enabled. This requires an out-of-the-tree terraform provider or bulky and fragile scripts to provision users and roles in OpenSearch engine. All that can be implemented as resource-based IAM instead of fine-grained OpenSearch rbac.
Describe the solution you would like
Most of the cases need to provide secure access to:
a) Logs ingestors. Running in EKS they can utilize IRSA to access AWS services. This blueprint does that.
b) Logs readers. Apps owners, Platform teams, and other personas. They can use VPN or internal load balancers to access OpenSearch located inside of a VPC. Resource-based policy should allow "es:ESHttpGet" access to "arn:aws🇪🇸$region:$acc_id:domain/$index/"
c) Domain admins. "es:" access to "arn:aws🇪🇸$region:$acc_id:domain/$index" (not /* postfix is absent)
There's a way to extend resource-based IAM policy to have this covered.
Describe alternatives you have considered
Another way to solve it would be adding another terraform provider to manage fine-grained OpenSearch/ElasticSearch rbac.
The downwards of that approach are:
There's no OpenSearch provider. Only ElasticSearch one. Their compatibility is questionable and, probably, shouldn't be a part of the blueprint
There use cases for the blueprint can be covered with IAM. So extra provider seems like an overkill
Additional context
The text was updated successfully, but these errors were encountered:
Community Note
What is the outcome that you are trying to reach?
The blueprint currently has fine-grained access enabled. This requires an out-of-the-tree terraform provider or bulky and fragile scripts to provision users and roles in OpenSearch engine. All that can be implemented as resource-based IAM instead of fine-grained OpenSearch rbac.
Describe the solution you would like
Most of the cases need to provide secure access to:
a) Logs ingestors. Running in EKS they can utilize IRSA to access AWS services. This blueprint does that.
b) Logs readers. Apps owners, Platform teams, and other personas. They can use VPN or internal load balancers to access OpenSearch located inside of a VPC. Resource-based policy should allow "es:ESHttpGet" access to "arn:aws🇪🇸$region:$acc_id:domain/$index/"
c) Domain admins. "es:" access to "arn:aws🇪🇸$region:$acc_id:domain/$index" (not /* postfix is absent)
There's a way to extend resource-based IAM policy to have this covered.
Describe alternatives you have considered
Another way to solve it would be adding another terraform provider to manage fine-grained OpenSearch/ElasticSearch rbac.
The downwards of that approach are:
Additional context
The text was updated successfully, but these errors were encountered: