Message: 'User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action'

[sgondkar-haptiq]

I get this error in logs when anonymous user is trying to access the elastic search. And sometimes it works with same policy and sometimes it start giving this error. And we have same setup running on stage and prod. But we facing issue on stage and on PROD is working totally fine without any issues. Recently there was an index update done from DEV team for some of indexes. We have added few public IP's which were requested to be added from client side.

2025-01-03T14:18:46.224Z aae4193b-f1cd-44da-b549-8a797653d6c9 INFO ~ error: StatusCodeError: Authorization Exception
at respond (/var/task/node_modules/elasticsearch/src/lib/transport.js:349:15)
at checkRespForFailure (/var/task/node_modules/elasticsearch/src/lib/transport.js:306:7)
at HttpConnector. (/var/task/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
at IncomingMessage.wrapper (/var/task/node_modules/lodash/lodash.js:4991:19)
at IncomingMessage.emit (node:events:529:35)
at endReadableNT (node:internal/streams/readable:1400:12)
at process.processTicksAndRejections (node:internal/process/task_queues:82:21) {
status: 403,
displayName: 'AuthorizationException',
path: '/stage/_doc',
query: { type: 'requests' },
body: '{"course_id":null,"email":null,"from_date":null,"limit":null,"page":null,"to_date":null,"db_state_code":"MN","state_code":"MN","request_name":null,"request_date":1735913926195,"hits":42396,"resource":"/users","roles":null,"updated_since":null,"user_id":null,"certificates":null,"completion_code":null}',
statusCode: 403,
response: '{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"}',
toString: [Function (anonymous)],
toJSON: [Function (anonymous)]

Could anyone pls help if anyone have idea on this request.

[sgondkar-haptiq]

This is iam policy being used.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": ""
},
"Action": "es:",
"Resource": "arn:aws:es:us-east-1:653428368606:domain/nfhssso-stage/",
"Condition": {
"IpAddress": {
"aws:SourceIp": ""
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::653428368606:user/mms-stage-es",
"arn:aws:iam::653428368606:user/sso.stage",
"arn:aws:iam::653428368606:role/nfhslearn-api-service-stage-us-east-1-lambdaRole",
"arn:aws:iam::653428368606:user/learn-stage-es"
]
},
"Action": "es:",
"Resource": "arn:aws:es:us-east-1:653428368606:domain/nfhssso-stage/"
}
]
}

[roger-zhangg]

From these information it seems this issues is coming from IAM where the condition doesn't match, could it be possible that the IP specified here doesn't match the requester's IP addr? The other part of the policy looks good to me

"Condition": {
"IpAddress": {
"aws:SourceIp": ""
}
}
},