Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

aws_opensearchservice: Grant permissions using access policy for principals that cannot have policies attached #29213

Open
2 tasks done
pergardebrink opened this issue Feb 22, 2024 · 2 comments
Labels
@aws-cdk/aws-opensearch Related to the @aws-cdk/aws-opensearchservice package feature-request A feature should be added or improved. p2

Comments

@pergardebrink
Copy link

pergardebrink commented Feb 22, 2024

Describe the feature

We would like to be able to grant access to principals that cannot have policies attached by using the accesspolicies on OpenSearch

The current OpenSearch grantXYZ methods only works for adding permissions to a principal and not to add permissions to the access policy.

Use Case

We want to grant cross-account access to OpenSearch and want to use the Role.FromRoleArn in our stack and then use grantIndexWrite method to grant those principals access.

Proposed Solution

Use the access policy (resource policy) if the principal does not allow adding permissions (like an imported role or AccountPrincipal or similar)

Other Information

We can manually craft the access policy using the addAccessPolicies , but it's much more convenient and easier to understand if we can use the grantXYX methods.

More about OpenSearch Domain Access Policies (Resource Policies):
https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.129.0

Environment details (OS name and version, etc.)

Windows 11

@pergardebrink pergardebrink added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Feb 22, 2024
@github-actions github-actions bot added the @aws-cdk/aws-opensearch Related to the @aws-cdk/aws-opensearchservice package label Feb 22, 2024
@tim-finnigan
Copy link

Thanks for the feature request, this could probably use more discussion and input from the team. There was an issue involving fine-grained access control in OpenSearch, with the team's response here: #21193 (comment).

@tim-finnigan tim-finnigan self-assigned this Feb 22, 2024
@tim-finnigan tim-finnigan added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 22, 2024
@tim-finnigan tim-finnigan removed their assignment Feb 22, 2024
@pergardebrink
Copy link
Author

pergardebrink commented Feb 22, 2024

Thanks @tim-finnigan! I don't think fine grained permissions, like discussed in that issue, would be the same as I suggest here as fine grained permissions exists on top of access policies (to some degree discussed how they relate to each other here: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-access-policies) and here: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource

But I'm not an expert on OpenSearch and might miss something that would make this to rather be an L3 or L2.5 mentioned in that issue.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
@aws-cdk/aws-opensearch Related to the @aws-cdk/aws-opensearchservice package feature-request A feature should be added or improved. p2
Projects
None yet
Development

No branches or pull requests

2 participants