Minimum IAM permissions required to access an OpenSearch Application UI using IAM authentication (no Identity Center).
IAM Auth Setup
Prerequisites
- An OpenSearch Application created with IAM auth
- An IAM role that needs access
- AWS CLI configured
1. Grant IAM permission
Attach this policy to the IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "opensearch:ApplicationAccessAll",
"Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
}
]
}To scope to a specific application:
"Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"CLI example:
aws iam put-role-policy \
--role-name <ROLE_NAME> \
--policy-name OpenSearchAppAccess \
--policy-document '{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"opensearch:ApplicationAccessAll",
"Resource":"arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/*"
}]
}'Important: The action is opensearch:ApplicationAccessAll, not es:ESHttpGet or es:ApplicationLogin.
For AWS Console access (optional):
If users also need to navigate to the application through the AWS Console, add:
{
"Effect": "Allow",
"Action": "es:GetApplication",
"Resource": "arn:aws:opensearch:<REGION>:<ACCOUNT_ID>:application/<APP_ID>"
}2. Configure dashboard admin
Set which IAM principals get admin privileges inside the dashboards.
Allow all authenticated users:
aws opensearch update-application \
--id <APP_ID> \
--app-configs '[{"key":"opensearchDashboards.dashboardAdmin.users","value":"*"}]' \
--region <REGION>Allow a specific role:
aws opensearch update-application \
--id <APP_ID> \
--app-configs '[{"key":"opensearchDashboards.dashboardAdmin.users","value":"arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"}]' \
--region <REGION>Note: Dashboard admin controls admin-level features inside the UI. It is not required for login — the IAM policy alone is sufficient to access the application.
3. Verify access
Browser (presigned URL)
Generate a presigned URL and open it in a browser:
from botocore.session import Session
from botocore.auth import SigV4QueryAuth
from botocore.awsrequest import AWSRequest
session = Session()
cred = session.get_credentials().get_frozen_credentials()
endpoint = "<APP_ENDPOINT>"
region = "<REGION>"
url = f"https://{endpoint}/_login/"
request = AWSRequest(method="GET", url=url)
SigV4QueryAuth(cred, "opensearch", region, expires=300).add_auth(request)
print(request.url) # Open this URL in a browserThe /_login/ presigned URL only works in a browser. It does not work with curl.
curl (SigV4 header auth)
from botocore.session import Session
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
import subprocess
session = Session()
cred = session.get_credentials().get_frozen_credentials()
endpoint = "<APP_ENDPOINT>"
region = "<REGION>"
url = f"https://{endpoint}/"
request = AWSRequest(method="GET", url=url)
SigV4Auth(cred, "opensearch", region).add_auth(request)
cmd = ["curl", "-s", "-w", "\\nHTTP: %{http_code}\\n", "-D", "-"]
for k, v in request.headers.items():
cmd.extend(["-H", f"{k}: {v}"])
cmd.append(url)
result = subprocess.run(cmd, capture_output=True, text=True)
print(result.stdout)Success: HTTP/1.1 302 Found with location: /app/workspace_initial
Failure: HTTP/1.1 403 Forbidden
SigV4 signing details
| Parameter | Value |
|---|---|
| Service name | opensearch |
| Algorithm | AWS4-HMAC-SHA256 |
| Signed headers | host (minimum) |
Common mistake: Using es or aoss as the SigV4 service name. The correct service name is opensearch.
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| 403 Forbidden | Missing opensearch:ApplicationAccessAll | Add the IAM policy from step 1 |
400 Bad Request on /_login/ via curl | /_login/ is browser-only | Use SigV4 header auth on / for curl |
| 403 "not authorized to perform es:GetApplication" | Missing console permission | Add es:GetApplication on the application ARN |
| 401 Unauthorized on dashboard pages | Dashboard admin not configured | Run update-application from step 2 |
Summary
| Layer | Configuration | Required for login? |
|---|---|---|
| IAM Policy | opensearch:ApplicationAccessAll on application ARN | ✅ Yes |
| IAM Policy | es:GetApplication on application ARN | Only for AWS Console |
| App Config | opensearchDashboards.dashboardAdmin.users | No (controls admin features) |