IAM Auth Setup

This guide covers the minimum IAM permissions required to access an OpenSearch UI application using IAM authentication (no Identity Center).

Prerequisites

An OpenSearch UI application created with IAM auth (see Create your first app)
An IAM role that needs access to the application
AWS CLI configured with credentials

Step 1: Grant IAM permission

Attach this policy to the IAM role that needs access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "opensearch:ApplicationAccessAll",
            "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
        }
    ]
}

To scope access to a specific application:

"Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"

CLI example:

aws iam put-role-policy \
  --role-name <ROLE_NAME> \
  --policy-name OpenSearchAppAccess \
  --policy-document '{
    "Version":"2012-10-17",
    "Statement":[{
      "Effect":"Allow",
      "Action":"opensearch:ApplicationAccessAll",
      "Resource":"arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
    }]
  }'

The action is opensearch:ApplicationAccessAll, not es:ESHttpGet or es:ApplicationLogin. See common mistakes for details.

AWS Console access (optional)

If users also navigate to the application through the AWS Console, add:

{
    "Effect": "Allow",
    "Action": "es:GetApplication",
    "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"
}

Step 2: Configure dashboard admin

Set which IAM principals get admin privileges inside the dashboards UI.

Allow all authenticated users:

aws opensearch update-application \
  --id <APP_ID> \
  --app-configs '[{"key":"opensearchDashboards.dashboardAdmin.users","value":"*"}]' \
  --region <REGION>

Allow a specific role:

aws opensearch update-application \
  --id <APP_ID> \
  --app-configs '[{"key":"opensearchDashboards.dashboardAdmin.users","value":"arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"}]' \
  --region <REGION>

Dashboard admin controls admin-level features inside the UI (index pattern management, saved objects, etc.). It is not required for login — the IAM policy alone is sufficient to access the application.

Step 3: Verify access

Browser access (presigned URL)

Generate a SigV4 presigned URL and open it in a browser:

from botocore.session import Session
from botocore.auth import SigV4QueryAuth
from botocore.awsrequest import AWSRequest
 
session = Session()
cred = session.get_credentials().get_frozen_credentials()
 
endpoint = "<APP_ENDPOINT>"
region = "<REGION>"
 
url = f"https://{endpoint}/_login/"
request = AWSRequest(method="GET", url=url)
SigV4QueryAuth(cred, "opensearch", region, expires=300).add_auth(request)
 
print(request.url)  # Open this URL in a browser

The /_login/ presigned URL only works in a browser. It does not work with curl or other HTTP clients.

Programmatic access (curl with SigV4 headers)

from botocore.session import Session
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
import subprocess
 
session = Session()
cred = session.get_credentials().get_frozen_credentials()
 
url = f"https://<APP_ENDPOINT>/"
request = AWSRequest(method="GET", url=url)
SigV4Auth(cred, "opensearch", "<REGION>").add_auth(request)
 
cmd = ["curl", "-s", "-w", "\\nHTTP: %{http_code}\\n", "-D", "-"]
for k, v in request.headers.items():
    cmd.extend(["-H", f"{k}: {v}"])
cmd.append(url)
 
result = subprocess.run(cmd, capture_output=True, text=True)
print(result.stdout)

Expected results:

Success: HTTP/1.1 302 Found with location: /app/workspace_initial
Failure: HTTP/1.1 403 Forbidden — check your IAM policy

SigV4 signing details

Parameter	Value
Service name	`opensearch`
Algorithm	AWS4-HMAC-SHA256
Signed headers	`host` (minimum)
Presigned URL expiry	Up to 300 seconds recommended

Common mistake: Using es or aoss as the SigV4 service name. The correct service name is opensearch.

Configuration summary

Layer	Configuration	Required for login?
IAM Policy	`opensearch:ApplicationAccessAll` on application ARN	✅ Yes
IAM Policy	`es:GetApplication` on application ARN	Only for AWS Console navigation
App Config	`opensearchDashboards.dashboardAdmin.users`	No — controls admin features only

Troubleshooting

Symptom	Likely cause	Resolution
403 Forbidden when accessing application URL	Missing `opensearch:ApplicationAccessAll` permission	Add the IAM policy from Step 1. Note: the action is `opensearch:ApplicationAccessAll`, not `es:ESHttpGet`
403 "not authorized to perform es:GetApplication"	Missing console permission	Add `es:GetApplication` on the application ARN (only needed for AWS Console access)
400 Bad Request on `/_login/` via curl	`/_login/` endpoint is browser-only	Use SigV4 header auth on `/` for programmatic access
Presigned URL returns `SignatureDoesNotMatch`	Wrong SigV4 service name	Use `opensearch` as the service name, not `es` or `aoss`
Can access app but no admin features	Dashboard admin not configured	Run `update-application` with `opensearchDashboards.dashboardAdmin.users` from Step 2
Presigned URL expired	URL was generated more than 300 seconds ago	Generate a new presigned URL — they are short-lived

IAM Policies Reference — Full permissions reference
Choose Your Auth Method — Compare IAM vs IDC vs SAML
AWS docs: OpenSearch UI getting started