Glad it was helpful! Thanks so much for commenting!!

Thanks so much, Vimal! Glad it helped.

I haven't tried doing it programmatically yet myself. However, since the role mappings is internal to the OpenSearch API and not part of the AWS Control Plane / API, I would use some sort of post-deployment script in Terraform that calls the Security Plugin API, perhaps using a shell_script resource or something like that.

@@YannStoneman Thanks. Make sense. Not sure why but I mistakenly assumed OpenSearch is a aws service (much like s3 or dynamodb) which it clearly is not

@@Amapramaadhy Update: it does seem like the terraform provider has included deeper support for OpenSearch over time: registry.terraform.io/providers/opensearch-project/opensearch/latest/docs

@@YannStoneman Thanks for following up. Will definitely read up. Hopefully you will cover hardening managed opensearch clusters in future videos 😉

Hi Eternal Sunshine - this is separate from the AWS credentials. It’ll be the master username and password you set when you create the domain. Something like un: admin, pw: admin opensearch.org/docs/1.0/dashboards/index/ docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-opensearchservice-domain.html

Awesome! Thanks for the comment 😊

Thanks, Andy! I'm so glad this is helpful. This should be possible using the IAM role of the instance profile. What's the problem you're having with it?

Thanks Yann for taking the time to reply! Glad to hear that it should be possible! I'm still getting an unauthorized 403 error even after mapping the Opensearch Role to the IAM Role. I guess the problem is on the Signing Request portion as the application was built using Elasticsearch's NEST and there isn't a sample based on .NET for the AWS4Auth. I'll try again later!

@@andylbh That makes sense. I haven't tried this with .NET but I was curious just now and found this: stackoverflow.com/a/37218694/9754418 -- let us know how it goes :)

Thanks for watching falc410. Could you please share the link to which part of the documentation you’re following and any additional details?

Thanks so much Cecilia!!

Thanks so much for commenting. I’m glad it helped! Please share how to recreate the error (but continue blocking out private details).

Thanks so much for watching and commenting Tây!

Quickest way to access OpenSearch dashboard

I personally would recommend for a production scenario using SAML authentication so that you can manage your users in one place, “such as Okta, Keycloak, Active Directory Federation Services (ADFS), and Auth0.” See: docs.aws.amazon.com/opensearch-service/latest/developerguide/saml.html

@@YannStoneman I work on a small development team so only 2-3 of us really need access to the Opensearch instance, but we’re owned by a massive corporation that would make integrating with the IT team that runs the active directory a huge headache…. So is it actually unsafe to just have a couple internal users to log into or just not “ideal”? I’d love to have SSO set up too but it doesn’t quite seem in the cards, I just want to make sure I’m still creating a secure solution for accessing Opensearch.

@@zacbackas Nothing specific to OpenSearch in my thoughts here: it's just that with SSO, you have a single source of truth for users (which matters less with only 3 people), and you can have MFA as part of the SSO authentication process, which I guess could matter less if the dashboard is not publicly accessible and only accessible via an MFA-protected VPN or something like that. Nothing about OpenSearch is making me say this -- just the general SSO + MFA thinking.

@@YannStoneman ok thanks for the insight! Sounds like we’re safe enough for now with the internal user DB, but I’ll certainly be starting the conversation about SSO

Thanks Suhani - I’m so glad it helped!

Glad it was helpful! Thanks for commenting!

Yes, this should work the same cross-account. Glad it helped!

😂

Thanks so much Bakshim!!