AWSOpenSearch UI Help Center
AWS Docs 
Feedback

IDC Auth Setup

This guide walks through setting up IAM Identity Center (IDC) authentication for your OpenSearch UI application. IDC gives your team a browser-based SSO login experience — users sign in with their IDC credentials instead of generating presigned URLs.

Prerequisites checklist

Before you start, make sure you have:

  • AWS account with both base and IDC IAM permissions
  • IAM Identity Center enabled in your account or organization
    • If not enabled, see Enabling IAM Identity Center 
    • Note whether you have an organization instance or account instance — this affects some configuration steps
  • An IAM role with the required permission policy AND trust policy (you'll create this below if you don't have one)
  • At least one OpenSearch domain or serverless collection in your region
  • At least one user or group created in IDC

Step A: Verify IDC is enabled

  1. Open the IAM Identity Center console 
  2. If you see a dashboard with your IDC instance details → IDC is enabled. Note the instance type (organization or account).
  3. If you see a setup/welcome page → you need to enable IDC first.

Enabling IDC (if needed)

  • Organization instance (recommended): Works across all accounts in your AWS Organization. Best for production use.
  • Account instance: Scoped to a single account. Good for testing or isolated setups.

If your AWS account is part of an organization and someone else manages it, check with your admin — they may need to enable IDC at the organization level.

Step B: Create the IAM role

IDC needs an IAM role to assume when users access your OpenSearch UI application. This role needs two things: a permission policy (what the role can do) and a trust policy (who can assume the role).

Permission policy

Create a policy with the permissions needed to access the application:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "opensearch:ApplicationAccessAll",
            "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
        }
    ]
}

Trust policy

The trust policy must allow the IDC service to assume this role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "sso.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create the role via CLI

# Create the role with the trust policy
aws iam create-role \
  --role-name OpenSearchUI-IDC-Role \
  --assume-role-policy-document '{
    "Version":"2012-10-17",
    "Statement":[{
      "Effect":"Allow",
      "Principal":{"Service":"sso.amazonaws.com"},
      "Action":"sts:AssumeRole"
    }]
  }'
 
# Attach the permission policy
aws iam put-role-policy \
  --role-name OpenSearchUI-IDC-Role \
  --policy-name OpenSearchAppAccess \
  --policy-document '{
    "Version":"2012-10-17",
    "Statement":[{
      "Effect":"Allow",
      "Action":"opensearch:ApplicationAccessAll",
      "Resource":"arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
    }]
  }'

Note the role ARN — you'll need it in the next step. It looks like: arn:aws:iam::<ACCOUNT_ID>:role/OpenSearchUI-IDC-Role

Step C: Create the application with IDC enabled

Console

  1. Open the OpenSearch Service console 
  2. In the left navigation, choose OpenSearch UI (Dashboards)
  3. Choose Create application
  4. Enter an application name
  5. Add at least one data source (OpenSearch domain or serverless collection)
  6. Under Authentication, check Authentication with IAM Identity Center
  7. Select your IAM role from the dropdown (the role you created in Step B)
  8. (Optional) Configure dashboard admins under Advanced settings
  9. Choose Create

CLI

aws opensearch create-application \
  --name "my-opensearch-app" \
  --iam-identity-center-options '{
    "enabled": true,
    "iamRoleForIdentityCenterApplicationArn": "arn:aws:iam::<ACCOUNT_ID>:role/OpenSearchUI-IDC-Role"
  }' \
  --data-sources '[{
    "dataSourceArn": "arn:aws:es:<REGION>:<ACCOUNT_ID>:domain/<DOMAIN_NAME>"
  }]' \
  --region <REGION>

Step D: Assign users in IDC

After creating the application, you need to assign IDC users or groups so they can log in:

  1. Open the IAM Identity Center console 
  2. In the left navigation, choose Applications
  3. Find the application that was automatically registered (it will match your OpenSearch UI app name)
  4. Choose Assign users and groups
  5. Select the users or groups that should have access
  6. Choose Assign

Step E: Verify your setup

  1. In the OpenSearch Service console, check that your application status shows Active
  2. Verify that Authentication with IAM Identity Center shows as Enabled in the application details
  3. Copy the Application URL from the application details page
  4. Open the Application URL in your browser — you should be redirected to the IDC login page
  5. Sign in with your IDC credentials — you should see the OpenSearch UI workspace selector

Troubleshooting

SymptomLikely causeResolution
"IAM Identity Center is not enabled" during app creationNo IDC instance in your account or organizationEnable IDC in the IAM Identity Center console 
SSO login redirects but returns an errorIAM role trust policy missing sso.amazonaws.comUpdate the role's trust policy to include the SSO service principal (see Step B)
SSO login works but user has no accessUser not assigned to the IDC applicationAssign the user to the application in the IDC console (see Step D)
"Access denied" after IDC loginIAM role permission policy missing required actionsVerify the role has opensearch:ApplicationAccessAll and data source access permissions
Application shows "IDC enabled" but login failsIAM role ARN mismatchVerify the role ARN in application settings matches the role with the correct trust and permission policies
"Unable to create application" with IDCMissing IDC-specific IAM permissionsEnsure your IAM user/role has the sso:CreateApplication, sso:PutApplicationGrant, and iam:PassRole permissions. See IAM Policies Reference
IDC login page shows but no users can sign inNo users assigned in IDCGo to IDC console → Applications → your app → Assign users and groups

Related