Auth Errors

Common authentication errors when accessing OpenSearch Applications and how to fix them.

403 Forbidden

Symptom: {"status":403,"error":{"reason":"403 Forbidden","type":"Forbidden"}}

Cause: The IAM role is missing opensearch:ApplicationAccessAll.

Fix:

aws iam put-role-policy \
  --role-name <ROLE_NAME> \
  --policy-name OpenSearchAppAccess \
  --policy-document '{
    "Version":"2012-10-17",
    "Statement":[{
      "Effect":"Allow",
      "Action":"opensearch:ApplicationAccessAll",
      "Resource":"arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
    }]
  }'

403 "not authorized to perform es:GetApplication"

Symptom: Error in AWS Console when navigating to the application.

Cause: Missing es:GetApplication permission. This is only needed for the AWS Console flow.

Fix: Add to the IAM policy:

{
    "Effect": "Allow",
    "Action": "es:GetApplication",
    "Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"
}

400 Bad Request on /_login/ via curl

Symptom: HTTP 400 with header x-aoss-response-hint: X01:gw-helper-deny

Cause: The /_login/ endpoint only works in a browser. It does not support curl.

Fix: Use SigV4 header auth on / instead. See Authentication Setup for the curl verification script.

401 Unauthorized on dashboard pages

Symptom: Requests to dashboard pages return 401.

Cause: Dashboard admin is not configured on the application.

Fix:

aws opensearch update-application \
  --id <APP_ID> \
  --app-configs '[{"key":"opensearchDashboards.dashboardAdmin.users","value":"*"}]' \
  --region <REGION>

SigV4 signature errors

Symptom: Signature mismatch or invalid signature errors.

Cause: Wrong SigV4 service name.

Fix: Use opensearch as the service name, not es or aoss.