AWS Elastisearch Access Policy for CodeBuild Integration Tests with Hibernate Search using a ElasticSearch for indexes storage

I would like to extend the VME answer to be more precise.

To access ElasticSearch using a role, the request must certainly be signed.

This solution is generally correct, but on my particular case this is not suitable since the requests to AWS ES are generated by Hibernate Search ElasticSearch. (Might we find another solution using AOP?)

I finally figured out a workaround for this problem. On CodeBuild build spec I added the following steps:

• Configure AWS CLI using a user with a policy that allows him to read and update ES domain.
• Read and store the current ES Domain Access Policy
• I get the CodeBuild ec2 IP
• Update ES Domain policy access to allow access from CodeBuild IP
• Wait until the changes applies (15 mins aprox)
• Run the test
• Restore the previous configuration

I don't like this solution very much because the Domain Policy updates takes too long. This step is part of a CodePipeline for Continuous Integration, and executions should not take more than 15 or 20 minutes.

Any ideas on how to improve this?

Possibly you need to sign your ES requests.

I am not familiar with CodeBuild, but generally the rule is: when using IAM roles to access Elasticsearch, your requests need to be signed with that IAM role.

E.g. For python you would use a tool like this: https://github.com/DavidMuller/aws-requests-auth

More info: http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html