How can I access OpenSearch Dashboards from outside of a VPC using Amazon Cognito authentication?

3 minute read
1

My Amazon OpenSearch Service cluster is in a virtual private cloud (VPC). I want to access the OpenSearch Dashboards endpoint from outside this VPC.

Resolution

Use one of these methods to access OpenSearch Dashboards from outside of a VPC using Amazon Cognito authentication:

Use an SSH tunnel

For more information, see How can I use an SSH tunnel to access OpenSearch Dashboards from outside of a VPC with Amazon Cognito authentication?

  • Advantages: Provides a secure connection over the SSH protocol. All connections use the SSH port.
  • Disadvantages: Requires client-side configuration and a proxy server.

Use an NGINX proxy

For more information, see How can I use an NGINX proxy to access OpenSearch Dashboards from outside a VPC that's using Amazon Cognito authentication?

  • Advantages: Setup is easier because only server-side configuration is required. Uses standard HTTP (port 80) and HTTPS (port 443).
  • Disadvantages: Requires a proxy server. The security level of the connection depends on how the proxy server is configured.

(Optional) If fine-grained access control (FGAC) is turned on, add an Amazon Cognito authenticated role

If fine-grained access control (FGAC) is turned on for your OpenSearch Service cluster, you might encounter a missing role error. To resolve the missing role error, perform the following steps:

1.    Sign in the Amazon OpenSearch Service console.

2.    From the navigation pane, under Managed clusters, choose Domains.

3.    Choose Actions, and then choose Edit security configurations.

4.    Choose Set IAM ARN as your master user.

6.    In the IAM ARN field, add the Amazon Cognito authenticated ARN role.

7.    Choose Submit.

For more information about fine-grained access control, see Tutorial: IAM master user and Amazon Cognito.

Use VPN

For more information, see What is AWS Site-to-Site VPN?

  • Advantages: Secure connection between your on-premises equipment and your VPCs. Uses standard TCP and UDP for TLS VPN.
  • Disadvantages: Requires VPN setup and client-side configuration.

Note: To allow or restrict access to resources, you must modify the VPC network configuration and the security groups associated with the OpenSearch Service domain. For more information, see Testing VPC domains.


Related information

How do I troubleshoot Amazon Cognito authentication issues with OpenSearch Dashboards?

Configuring Amazon Cognito authentication for OpenSearch Dashboards

I get a "User: anonymous is not authorized" error when I try to access my OpenSearch Service cluster

AWS OFFICIAL
AWS OFFICIALUpdated a year ago