We are in the process of externalizing Elastic search using AWS Opensearch 2.1.5. Pega SRS will connect to the opensearch based on AWS IAM role authentication. What are the required permissions that needs to be provided for Pega SRS to function? Do we need cluster permissions to be provided? Is it recommended to provide index permissions to indices_all? Any suggestions on this.
@SHALINI KOPURI
don’t give SRS cluster-admin or indices_all. Create an IAM role the SRS pods assume and allow it to call the domain with es:ESHttp* (SigV4-signed) in the domain access policy; that’s the network/auth gate. Then turn on fine-grained access control in OpenSearch and map that IAM role to an OpenSearch role with only what SRS needs: cluster_monitor (health/state) and manage_index_templates (component/index templates) at cluster level. At index level, scope permissions to the SRS indices/aliases (for example, pega-*, srs-*) and grant create_index, manage_aliases, read, write, delete, and bulk (or simply “manage” on those prefixes). This lets SRS create templates/mappings, create/roll indices, index/search/bulk-ingest, and maintain aliases without touching unrelated data. Use Pega’s SRS-for-OpenSearch image and awsIAM config in the Helm values; that’s the supported path for IAM-role auth. to limited cluster perms (monitor + template management), yes to index perms but only on SRS prefixes, no to cluster_all or indices_all across the domain.
@Sairohith Thanks for your reply appreciate it. We are getting below error “Opensearchstatusexception: URI [/config?ignore_throttled=false&ignore_unavailable=false&expand_wildcards=open%2Cclosed&allow_no_indices=false]”. IAM node groups have es:http* and opensearch AWS roles have cluster level permissions as cluster:monitor/health, cluster:monitor/state: cluster:monitor/nodes/info, cluster:monitor/main, indices:admin/template/delete, indices:admin/template/put, indices:admin/template/delete. Index level permissions as attached. I’m sure we are missing many other roles at cluster level. Any recommendations?
