Authentication Setup

OpenSearch Applications support two authentication methods: IAM and SAML SSO (via IAM Identity Center). This guide covers IAM authentication setup.

Minimum IAM policy

Attach this policy to any IAM role that needs access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "opensearch:ApplicationAccessAll",
            "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
        }
    ]
}

To scope to a specific application:

"Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"

CLI example:

aws iam put-role-policy \
  --role-name <ROLE_NAME> \
  --policy-name OpenSearchAppAccess \
  --policy-document '{
    "Version":"2012-10-17",
    "Statement":[{
      "Effect":"Allow",
      "Action":"opensearch:ApplicationAccessAll",
      "Resource":"arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
    }]
  }'

Important: The action is opensearch:ApplicationAccessAll, not es:ESHttpGet or es:ApplicationLogin.

AWS Console access (optional)

If users navigate to the application through the AWS Console, also add:

{
    "Effect": "Allow",
    "Action": "es:GetApplication",
    "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"
}

Configure dashboard admin

Control who gets admin privileges inside the dashboards:

# Allow all authenticated users
aws opensearch update-application \
  --id <APP_ID> \
  --app-configs '[{"key":"opensearchDashboards.dashboardAdmin.users","value":"*"}]' \
  --region <REGION>
 
# Allow a specific role
aws opensearch update-application \
  --id <APP_ID> \
  --app-configs '[{"key":"opensearchDashboards.dashboardAdmin.users","value":"arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"}]' \
  --region <REGION>

Dashboard admin controls admin-level features inside the UI. It is not required for login — the IAM policy alone is sufficient.

Verify access

Browser (presigned URL)

Generate a presigned URL and open it in a browser:

from botocore.session import Session
from botocore.auth import SigV4QueryAuth
from botocore.awsrequest import AWSRequest
 
session = Session()
cred = session.get_credentials().get_frozen_credentials()
 
endpoint = "<APP_ENDPOINT>"
region = "<REGION>"
 
url = f"https://{endpoint}/_login/"
request = AWSRequest(method="GET", url=url)
SigV4QueryAuth(cred, "opensearch", region, expires=300).add_auth(request)
 
print(request.url)  # Open this URL in a browser

The /_login/ presigned URL only works in a browser, not with curl.

curl (SigV4 header auth)

from botocore.session import Session
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
import subprocess
 
session = Session()
cred = session.get_credentials().get_frozen_credentials()
 
url = f"https://<APP_ENDPOINT>/"
request = AWSRequest(method="GET", url=url)
SigV4Auth(cred, "opensearch", "<REGION>").add_auth(request)
 
cmd = ["curl", "-s", "-w", "\\nHTTP: %{http_code}\\n", "-D", "-"]
for k, v in request.headers.items():
    cmd.extend(["-H", f"{k}: {v}"])
cmd.append(url)
 
result = subprocess.run(cmd, capture_output=True, text=True)
print(result.stdout)

Success: HTTP/1.1 302 Found with location: /app/workspace_initial

Failure: HTTP/1.1 403 Forbidden

SigV4 signing details

Parameter	Value
Service name	`opensearch`
Algorithm	AWS4-HMAC-SHA256
Signed headers	`host` (minimum)

Common mistake: Using es or aoss as the SigV4 service name. The correct service name is opensearch.

Summary

Layer	Configuration	Required for login?
IAM Policy	`opensearch:ApplicationAccessAll` on application ARN	✅ Yes
IAM Policy	`es:GetApplication` on application ARN	Only for AWS Console
App Config	`opensearchDashboards.dashboardAdmin.users`	No (controls admin features)