AWSOpenSearch UI Help Center
AWS Docs 
Feedback

App Stuck Creating

When you create an OpenSearch UI application, it typically takes a few minutes to become active. However, in some cases the application can appear stuck in the "Creating" state for an extended period. This guide covers the common causes and how to resolve them.

Normal creation timeline

Understanding what's normal helps you identify when something is actually stuck:

ScenarioExpected Creation Time
Application with public domains2-5 minutes
Application with VPC domains5-10 minutes
Application with multiple data sources5-15 minutes
Application with cross-account data sources10-20 minutes
First application in a new region5-10 minutes

If your application has been in "Creating" state for less than 20 minutes, it may still be provisioning normally — especially if VPC domains are involved.

Checking application status

Via the console

  1. Open the Amazon OpenSearch Service console
  2. Navigate to OpenSearch UI (Dashboards)
  3. Find your application in the list
  4. Check the Status column

Via the CLI

aws opensearch get-application \
    --id app-abc123def456 \
    --region us-east-1

Look at the status field in the response:

{
  "id": "app-abc123def456",
  "name": "my-application",
  "status": "CREATING",
  "createdAt": "2025-06-15T10:30:00Z"
}

Common causes and solutions

1. Insufficient IAM permissions

The most common cause of a stuck application is missing IAM permissions. The IAM principal creating the application needs a specific set of permissions.

Symptoms:

  • Application stays in "Creating" for more than 20 minutes
  • No error message in the console
  • CloudTrail shows AccessDenied events

Solution:

Ensure the creating principal has these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "es:CreateApplication",
        "es:GetApplication",
        "es:UpdateApplication",
        "es:ListApplications",
        "iam:CreateServiceLinkedRole"
      ],
      "Resource": "*"
    }
  ]
}

The iam:CreateServiceLinkedRole permission is critical — OpenSearch UI creates a service-linked role on first use. If this permission is missing, the application creation silently stalls.

2. Service-linked role issues

OpenSearch UI uses a service-linked role (AWSServiceRoleForAmazonOpenSearchService) to manage resources on your behalf. If this role can't be created or is in a bad state, application creation fails.

Symptoms:

  • First application in the account gets stuck
  • CloudTrail shows CreateServiceLinkedRole failures

Solution:

Check if the service-linked role exists:

aws iam get-role \
    --role-name AWSServiceRoleForAmazonOpenSearchService

If it doesn't exist, create it manually:

aws iam create-service-linked-role \
    --aws-service-name opensearchservice.amazonaws.com

If it exists but is in a bad state, delete and recreate:

aws iam delete-service-linked-role \
    --role-name AWSServiceRoleForAmazonOpenSearchService
 
# Wait a few minutes, then recreate
aws iam create-service-linked-role \
    --aws-service-name opensearchservice.amazonaws.com

3. VPC endpoint provisioning delays

When your application includes VPC-based data sources, the service needs to create VPC endpoints. This can take longer than public domain associations.

Symptoms:

  • Application with VPC domains takes 15-20+ minutes
  • The associated domain is in a VPC
  • No error messages

Solution:

  • Wait up to 20 minutes — VPC endpoint creation is inherently slower
  • Verify the VPC endpoint authorization is in place: 
    aws opensearch list-vpc-endpoint-access \
    --domain-name my-vpc-domain
  • Check that the domain's security group allows inbound TCP 443

4. Data source domain is not active

If an associated data source domain is itself in a non-active state (creating, processing, upgrading), the application creation may stall waiting for it.

Symptoms:

  • Application stuck in "Creating"
  • One or more associated domains are not in "Active" state

Solution:

Check the status of all associated domains:

aws opensearch describe-domain \
    --domain-name my-domain \
    --region us-east-1

Wait for all domains to reach Active status before creating the application, or create the application without data sources and add them later:

# Create application without data sources
aws opensearch create-application \
    --name my-app \
    --region us-east-1
 
# Add data sources after the app is active
aws opensearch update-application \
    --id app-abc123def456 \
    --data-sources '[...]'

5. AWS Organizations SCP restrictions

Service Control Policies (SCPs) in AWS Organizations can block the permissions needed for application creation, even if the IAM policy allows them.

Symptoms:

  • IAM permissions look correct
  • Application still gets stuck
  • CloudTrail shows AccessDenied with an SCP denial

Solution:

  • Check SCPs applied to the account in AWS Organizations
  • Ensure SCPs allow es:CreateApplication and iam:CreateServiceLinkedRole
  • Work with your organization admin to add exceptions if needed

6. Regional service limits

Each region has limits on the number of OpenSearch UI applications you can create. If you've hit the limit, new applications may fail silently.

Symptoms:

  • Application creation starts but never completes
  • You have many existing applications in the region

Solution:

Check your current application count:

aws opensearch list-applications --region us-east-1

The default limit is typically 10 applications per region. Request a limit increase through the AWS Service Quotas console if needed.

Diagnostic checklist

Run through this checklist when your application is stuck:

  1. How long has it been? If less than 20 minutes, wait.
  2. Check CloudTrail for any AccessDenied or error events: 
    aws cloudtrail lookup-events \
    --lookup-attributes AttributeKey=EventName,AttributeValue=CreateApplication \
    --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%SZ)
  3. Verify IAM permissions — especially iam:CreateServiceLinkedRole
  4. Check data source health — all associated domains should be Active
  5. Check VPC authorization — if using VPC domains
  6. Check service quotas — verify you haven't hit the application limit
  7. Check SCPs — if the account is in an AWS Organization

When to delete and retry

If your application has been stuck for more than 30 minutes and you've verified all the above:

  1. Delete the stuck application: 
    aws opensearch delete-application \
    --id app-abc123def456 \
    --region us-east-1
  2. Wait 5 minutes for cleanup
  3. Fix any identified issues (permissions, VPC, etc.)
  4. Create a new application

Deleting a stuck application is safe — since it never became active, there are no saved objects or workspace data to lose.

Preventing future issues

  • Pre-check permissions before creating applications — use the IAM Policy Simulator
  • Create applications without data sources first, then add them after the app is active
  • Ensure VPC domains are authorized before associating them
  • Monitor CloudTrail for early warning signs of permission issues
  • Use Infrastructure as Code (Terraform, CloudFormation) to ensure consistent configuration

Getting help

If none of the above resolves the issue:

  1. Note the application ID and region
  2. Check CloudTrail for the exact error
  3. Open a support case with AWS Support, including:
    • Application ID
    • Region
    • Account ID
    • Time of creation attempt
    • Any CloudTrail error events