ElasticsearchHttpPostPolicy set but still receiving "not authorized to perform: es:ESHttpPost"

[villasv]

Description:

I have a Lambda Function that I want to use to query an Amazon Elasticsearch Domain, but even after setting ElasticsearchHttpPostPolicy, using search will yield "{\"Message\":\"User: anonymous is not authorized to perform: es:ESHttpPost\"}" }

  Function:
    Type: AWS::Serverless::Function
    Properties:
      Policies:
        - ElasticsearchHttpPostPolicy:
            DomainName: my-domain

  Search:
    Type: AWS::Elasticsearch::Domain
    Properties:
      DomainName: my-domain
      ElasticsearchVersion: 6.2
      ElasticsearchClusterConfig:
        InstanceCount: 1
        InstanceType: t2.small.elasticsearch
      EBSOptions:
        EBSEnabled: true
        Iops: 0
        VolumeSize: 10
        VolumeType: standard

[villasv]

I understand that this error message is usually associated with not signing the request, but intuitively ElasticsearchHttpPostPolicy was useful because I don't need to deal with credentials. Is that interpretation wrong? I wouldn't be surprised, because I guess that just sending a POST from the lambda won't send any policy or iam information by default.

But even after trying to sign the request, I get:

"{\"Message\":\"User: arn:aws:sts::XXXXXX:assumed-role/my-stack-FunctionRole-QUYMLS5WBXY1/my-function is not authorized to perform: es:ESHttpPost\"}"

[villasv]

Hmmm. After further investigation, this is the ARN generated by the managed policy:

arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}

But this is the ARN used elsewhere:

arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}/*

After swaping out the managed SAM policy for a standard IAM policy with that ARN, it started working.
Another option is to keep using the managed ElasticsearchHttpPostPolicy policy but set domainName to your-domain-name/*.

[shakirjames]

I had the same issue: #858