AWS Lambda to proxy ElasticSearch Service using C#

Question

I am trying to create an AWS lambda using c# to access AWS ElasticSerch service. I have created a role that my lambda function is configured to use which has access to ElasticSeach. But the permission doesn't seem to be working.

Here is my setup:

1. I have created an access policy with Reading and Write access to ES service.
2. Created a role and assigned above policy
3. I have granted permissions to this role, to my ES cluster.

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::XXXXXXXXXXX:role/lambda-es-role"

      },

      "Action": "es:*",

      "Resource": "arn:aws:es:us-west-2:XXXXXXXXXXXXXx:domain/es-test-es/*"

    }

  ]

}

I have a simple code in a lambda to see if I can connect to it.

public async Task<string> FunctionHandler()

    {

        HttpClient client = new HttpClient();

        var response = await client.GetStringAsync("https://XXXXX.us-west-2.es.amazonaws.com/firstindex");

        return response;

    }

This gives me a 403 Forbidden error. I even tried setting a trust relationship with es.amazonaws.com for the role. That also did not work.

If I make the ES cluster public, I can see the response.

Will this method work with Lambda? Am I missing some permissions?

Answer 1

You have to sign your request with signature 4 for this to work. Check this out:

https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/