AWSOpenSearch UI Help Center
AWS Docs 
Feedback

Configuration

Required IAM permissions

Attach this policy to your IAM user or role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "es:CreateApplication",
        "es:DeleteApplication",
        "es:GetApplication",
        "es:ListApplications",
        "es:UpdateApplication",
        "es:AddTags", "es:ListTags", "es:RemoveTags",
        "aoss:APIAccessAll", "es:ESHttp*",
        "opensearch:StartDirectQuery",
        "opensearch:GetDirectQuery",
        "opensearch:CancelDirectQuery",
        "opensearch:GetDirectQueryResult",
        "aoss:BatchGetCollection", "aoss:ListCollections",
        "es:DescribeDomain", "es:DescribeDomains",
        "es:ListDomainNames",
        "es:GetDirectQueryDataSource",
        "es:ListDirectQueryDataSources"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "arn:aws:iam::*:role/aws-service-role/opensearchservice.amazonaws.com/AWSServiceRoleForAmazonOpenSearchService"
    }
  ]
}

Authentication options

IAM authentication (default)

No extra setup needed. Users authenticate with their AWS IAM credentials.

IAM Identity Center (SSO)

Enables single sign-on with corporate identity providers (Okta, Azure AD, Ping, etc.).

Additional permissions required for the creating user:

  • sso:CreateApplication, sso:DeleteApplication, sso:PutApplicationGrant
  • sso:PutApplicationAccessScope, sso:PutApplicationAuthenticationMethod
  • sso:ListInstances, sso:DescribeApplication, sso:CreateApplicationAssignment
  • sso-directory:SearchGroups, sso-directory:SearchUsers
  • identitystore:DescribeUser, identitystore:DescribeGroup
  • iam:PassRole for the Identity Center role

Create with Identity Center enabled:

aws opensearch create-application \
    --name my-sso-app \
    --region us-east-1 \
    --iam-identity-center-options '{
      "enabled": true,
      "iamIdentityCenterInstanceArn": "arn:aws:sso:::instance/ssoins-abc123",
      "iamRoleForIdentityCenterApplicationArn": "arn:aws:iam::123456789012:role/OpenSearchUI-IDC-Role"
    }'

Managing administrators

Admins can edit/delete the application and manage workspaces.

Add an IAM user as admin

aws opensearch update-application \
    --id my-app-id \
    --app-configs '{
      "key": "opensearchDashboards.dashboardAdmin.users",
      "value": "arn:aws:iam::123456789012:user/admin-user"
    }'

Add an Identity Center user as admin

aws opensearch update-application \
    --id my-app-id \
    --app-configs '{
      "key": "opensearchDashboards.dashboardAdmin.users",
      "value": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
    }'

Each application must retain at least one administrator.