How do I set up cross-account access for AWS OpenSearch Service?
In this guide, we will set up cross-account access for AWS OpenSearch Service using Pulumi. We will create an OpenSearch domain in one AWS account and configure an IAM role in another AWS account to allow access to the OpenSearch domain. The following steps will be covered:
- Create an OpenSearch domain in the source account.
- Create an IAM role in the target account with permissions to access the OpenSearch domain.
- Update the OpenSearch domain’s access policy to allow the IAM role from the target account.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
// Source Account: Create OpenSearch Domain
const domain = new aws.opensearch.Domain("my-domain", {
engineVersion: "OpenSearch_1.0",
clusterConfig: {
instanceType: "m5.large.search",
},
ebsOptions: {
ebsEnabled: true,
volumeSize: 10,
},
accessPolicies: pulumi.output(aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
principals: [{
type: "AWS",
identifiers: ["arn:aws:iam::TARGET_ACCOUNT_ID:role/CrossAccountRole"],
}],
actions: ["es:ESHttpGet", "es:ESHttpPut"],
resources: ["arn:aws:es:REGION:ACCOUNT_ID:domain/my-domain/*"],
}],
})).apply(JSON.stringify),
});
// Target Account: Create IAM Role
const crossAccountRole = new aws.iam.Role("CrossAccountRole", {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
AWS: "arn:aws:iam::SOURCE_ACCOUNT_ID:root",
}),
});
const policy = new aws.iam.RolePolicy("CrossAccountRolePolicy", {
role: crossAccountRole.id,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: [
"es:ESHttpGet",
"es:ESHttpPut",
],
Effect: "Allow",
Resource: `arn:aws:es:REGION:ACCOUNT_ID:domain/my-domain/*`,
}],
}),
});
// Export the domain endpoint
export const domainEndpoint = domain.endpoint;
Key Points
- We created an OpenSearch domain in the source account.
- An IAM role was created in the target account with a trust relationship allowing the source account to assume the role.
- The OpenSearch domain’s access policy was updated to allow the IAM role from the target account to access the domain.
Summary
We successfully set up cross-account access for AWS OpenSearch Service. The OpenSearch domain in the source account can now be accessed by an IAM role in the target account, enabling secure cross-account interactions.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.