IAM Policies Reference

This page is the complete reference for all IAM actions used with OpenSearch UI applications. Permissions are organized into two tiers: base permissions (required for all applications) and IDC-specific permissions (only needed if using IAM Identity Center).

Tier 1: Base permissions (all applications)

These permissions are required regardless of your authentication method.

Application management

Action	Purpose	Resource
`es:CreateApplication`	Create new applications	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/*`
`es:GetApplication`	View application details in AWS Console	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/<APP_ID>`
`es:UpdateApplication`	Modify application settings	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/<APP_ID>`
`es:DeleteApplication`	Delete applications	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/<APP_ID>`
`es:ListApplications`	List all applications	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/*`

Tag management

Action	Purpose	Resource
`es:AddTags`	Add tags to applications	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/<APP_ID>`
`es:ListTags`	List tags on applications	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/<APP_ID>`
`es:RemoveTags`	Remove tags from applications	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/<APP_ID>`

Data source access

Action	Purpose	Resource
`aoss:BatchGetCollection`	Associate serverless collections	Collection ARN
`es:DescribeDomain`	Associate OpenSearch domains	Domain ARN
`es:GetDirectQueryDataSource`	Associate direct query data sources	Domain ARN

Application UI access

Action	Purpose	Resource
`opensearch:ApplicationAccessAll`	Access the application UI	`arn:aws:opensearch:<REGION>:<ACCOUNT>:application/*`
`aoss:APIAccessAll`	Access serverless collection data	Collection ARN
`es:ESHttp*`	Access domain data via HTTP	Domain ARN
`opensearch:DirectQuery`	Access direct query data sources	Domain ARN

Service-linked role

Action	Purpose	Resource
`iam:CreateServiceLinkedRole`	Allows OpenSearch to publish CloudWatch metrics	`arn:aws:iam:::role/aws-service-role/opensearchservice.amazonaws.com/`

Tier 2: IDC-specific permissions (SSO only)

These permissions are only needed if you're using IAM Identity Center for authentication. Add them on top of the base permissions.

IDC application management

Action	Purpose	Resource
`sso:CreateApplication`	Register the app with IDC	`*`
`sso:DeleteApplication`	Remove the IDC app registration	`*`
`sso:PutApplicationGrant`	Configure IDC grants for the app	`*`
`sso:PutApplicationAuthenticationMethod`	Set IDC auth method	`*`
`sso:PutApplicationAccessScope`	Configure IDC access scopes	`*`
`sso:PutApplicationAssignmentConfiguration`	Configure user assignment settings	`*`
`sso:GetApplicationGrant`	Read IDC grant configuration	`*`
`sso:ListInstances`	List IDC instances in the account	`*`

IAM role management for IDC

Action	Purpose	Resource
`iam:PassRole`	Pass the IAM role to the IDC application	Role ARN
`iam:CreateRole`	Create the IAM role for IDC (if creating new)	`*`
`iam:AttachRolePolicy`	Attach policies to the IDC role	Role ARN

Minimum policy for UI access

The simplest policy to grant a user access to an OpenSearch UI application:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "opensearch:ApplicationAccessAll",
            "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
        }
    ]
}

To scope to a specific application, replace * with the application ID:

"Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"

Full admin policy (application management + IDC)

For administrators who need to create and manage applications with IDC:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ApplicationManagement",
            "Effect": "Allow",
            "Action": [
                "es:CreateApplication",
                "es:GetApplication",
                "es:UpdateApplication",
                "es:DeleteApplication",
                "es:ListApplications",
                "es:AddTags",
                "es:ListTags",
                "es:RemoveTags"
            ],
            "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
        },
        {
            "Sid": "DataSourceAccess",
            "Effect": "Allow",
            "Action": [
                "aoss:BatchGetCollection",
                "es:DescribeDomain",
                "es:GetDirectQueryDataSource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ApplicationUIAccess",
            "Effect": "Allow",
            "Action": "opensearch:ApplicationAccessAll",
            "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
        },
        {
            "Sid": "IDCIntegration",
            "Effect": "Allow",
            "Action": [
                "sso:CreateApplication",
                "sso:DeleteApplication",
                "sso:PutApplicationGrant",
                "sso:PutApplicationAuthenticationMethod",
                "sso:PutApplicationAccessScope",
                "sso:PutApplicationAssignmentConfiguration",
                "sso:GetApplicationGrant",
                "sso:ListInstances"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PassRoleForIDC",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/OpenSearchUI-IDC-Role"
        },
        {
            "Sid": "ServiceLinkedRole",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/*"
        }
    ]
}

Replace <REGION>, <ACCOUNT_ID>, and role names with your actual values. Scope resources as narrowly as possible for production use.

Common mistakes

Mistake	Why it fails	Correct action
Using `es:ESHttpGet` for app access	Wrong namespace — applications use `opensearch:`, not `es:`	Use `opensearch:ApplicationAccessAll`
Using `es:ApplicationLogin`	This action does not exist or grant UI access	Use `opensearch:ApplicationAccessAll`
Using `aoss:DashboardsAccessAll`	Works but requires `Resource: *` — overly broad	Use `opensearch:ApplicationAccessAll` with scoped resource
Scoping `es:*` to application ARN	The `es:` namespace does not authorize application access	Use `opensearch:ApplicationAccessAll`
Missing `iam:PassRole` for IDC setup	Can't associate the IAM role with the IDC application	Add `iam:PassRole` scoped to the specific role ARN
Using `opensearch` actions with `es:` prefix	Different service namespaces	`opensearch:` for application access, `es:` for domain/console operations

IAM Auth Setup — Step-by-step IAM authentication guide
IDC Auth Setup — Step-by-step IDC authentication guide
AWS docs: OpenSearch Service IAM actions
AWS docs: IAM Identity Center permissions