Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] OpenSearch dashboards is not accesible for console user #665

Open
konokenj opened this issue Dec 27, 2024 · 1 comment
Open

[BUG] OpenSearch dashboards is not accesible for console user #665

konokenj opened this issue Dec 27, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@konokenj
Copy link
Contributor

konokenj commented Dec 27, 2024
edited
Loading

🚨 Please Note 🚨

To ensure efficient investigation of the issue, please fill out the fields below with as much detail as possible. Reports that do not follow this template may be closed without notification. We appreciate your cooperation.

Describe the bug

With Bedrock Knowledge Bases on custom bot, users can't access OpenSearch dashboard although user has AdministratorAccess.

There are no data access control granted to IAM Roles or Users used by human. It might be a good idea to be able to configurable the OpenSearch dashboard administrator role or user in cdk.json.

To Reproduce

Steps to reproduce the behavior:

  1. Create custom bot with knowledges
  2. Go to OpneSearch Serverless collection page on AWS Management Console
  3. Click on 'dashboard' link
  4. See error

Screenshots

image

Additional context

Add any other context about the problem here.
@konokenj konokenj changed the title [BUG] Not accessible OpenSearch dashboards [BUG] OpenSearch dashboards is not accesible for console user Dec 27, 2024
@statefb statefb added enhancement New feature or request and removed needs-triage labels Jan 14, 2025
@statefb
Copy link
Contributor

statefb commented Jan 15, 2025
edited
Loading

CDK Reference:

    const ADMIN_ROLE_ARN = "arn:aws:iam::1234567890:role/Admin";
    const dataAccessManagementConsolePolicy = new oss.CfnAccessPolicy(
      this,
      "DataAccessManagementConsolePolicy",
      {
        name: `${DATA_ACCESS_POLICY}-man`,
        type: "data",
        description: `Data access policy for ${COLLECTION_NAME} collection from management console..`,
        policy: `
        [
          {
            "Rules": [
              {
                "ResourceType": "collection",
                "Resource": ["collection/${COLLECTION_NAME}"],
                "Permission": [
                  "aoss:CreateCollectionItems",
                  "aoss:DescribeCollectionItems",
                  "aoss:DeleteCollectionItems",
                  "aoss:UpdateCollectionItems"
                ]
              },
              {
                "ResourceType": "index",
                "Resource": ["index/${COLLECTION_NAME}/*"],
                "Permission": [
                  "aoss:CreateIndex",
                  "aoss:DeleteIndex",
                  "aoss:UpdateIndex",
                  "aoss:DescribeIndex",
                  "aoss:ReadDocument",
                  "aoss:WriteDocument"
                ]
              }
            ],
            "Principal": [
              "${ADMIN_ROLE_ARN}"
            ]
          }
        ]
      `,
      }
    );

Need to consider that Admin role exists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@statefb @konokenj