AWS ElasticSearch console: How to Access to Indices tab in my ES domain
It turns out my access policy setting itself was correct but if you have the master user account configured using the basic auth in your domain, the indices and the cluster health don't work. After I switched to ARN based master account, it worked.
For Googlers:
As of 2020/01, Amazon ES employs a trick way to determine how fine-granularity authorization is done.
- If your master user is an IAM user ARN, you implicitly opt in the IAM-way
- If your master user is created as an ES user with its own username and password, you implicitly opt in the normal-way
The implications are:
- IAM-way takes AWS token as a way to authorize requests
- Normal-way takes HTTP authentication
- If you choose normal-way then ES will not integrate with IAM nor will it map IAM user / roles to internal users even if they seemingly mapped in the Kibana UI
- If you choose the IAM-way then you lose the ability to log in via Kibana default login page, it becomes non-functional
- If you still want to use IAM-way plus the Kibana UI then you will need to integrate Cognito
This looks very confusing to users who see IAM users / roles mapped but only to find them unauthorized when accessing the domain.
As you can change master user (with down time) for ES domain, you can change it back and forth to avoid integrating with Cognito, but this is a pain.
This should be more clearly stated, or better emphasized in the official docs.
Please go to action dropdown as shown in the below image, there it will show the current access policy attach with your Elasticsearch domain.
In my case, it looks below and I am able to access the indices tab, Please note that Resources key which has /* means allowed access to all the endpoints in my domain and indices is part of it.
Note: once you have access, you can directly hit _cat/indices?v API to get the details of all indices.