Modify OpenSearch Service Cluster for Lambda Access
To ensure our Lambda function can access the OpenSearch Service cluster, we need to modify the cluster’s access policy.
Navigate to the OpenSearch Service console.
Select the appropriate domain (e.g.,
water-temp). Ensure the Domain status says “Active.” If not, wait a few minutes and refresh the page.Note the Domain endpoint for future section, which should look similar to the following example:
https://search-water-temp-domain-xxxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.es.amazonaws.com
Choose Actions and select Edit security configuration.
Scroll to Access policy and review the policy. Currently, the policy restricts access by IP address. The current policy should look similar to the following example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:000000000000:domain/water-temp/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "x.x.x.x"
}
}
}
]
}
- Add Lambda access to the policy. The policy must look similar to the following example, but with your account number and IP address:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:000000000000:domain/water-temp/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "x.x.x.x"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::615700818209:role/data-lake"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:000000000000:domain/water-temp/*"
}
]
}
Review.
Choose Save changes
Conclusion
You have now modified the OpenSearch Service cluster to allow the Lambda function to access it.