Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster

[diogosilvaiupp]

Dear, I'm getting the following error

Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster

---

terraform {
   required_providers {
     elasticsearch = {
       source = "phillbaker/elasticsearch"
       version = "2.0.5"
     }
   }
}

provider "elasticsearch" {
   username = "<myuser>"
   password = "<mypass>"
   url = "<my_url_vpc> and/or <my_custom_url>"
   healthcheck = false
   aws_region = "us-east-1"
}

---

There was a test with the master user and with another user created, both have the same error.

Could you please help me? Thanks

[sujata2015]

Hi,
I also have the same issue when trying to create the backend mapping

terraform {
 required_providers {
   aws = {
     source  = "hashicorp/aws"
     version = "4.33.0"
   }
   grafana = {
     source  = "grafana/grafana"
     version = ">= 1.13.3"
   }

   elasticsearch = {
     source = "phillbaker/elasticsearch"
     version = "2.0.5"
   `}
   `provider "elasticsearch" {
 url         = join("", ["https://",aws_elasticsearch_domain.es.endpoint])
 healthcheck = false
 username =        "var.user"
 password = "data.aws_ssm_parameter.opensearch_master_user_password.value"
 
}

# Create a role mapping
resource "elasticsearch_opensearch_roles_mapping" "mapper" {
  role_name     = "lambda_access"
  users = ["admin"]
  description   = "Mapping AWS IAM roles to ES role"
  backend_roles = [
    aws_iam_role.lambda_dashboard_exec.arn
    
  ]
}

and the error I am getting is HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

[phillbaker]

Hello, what steps have you taken so far to debug the issue? The error message is descriptive in this case: the provider does not have permission to access the cluster. You can also search this repository for similar issues in the past: https://github.com/phillbaker/terraform-provider-elasticsearch/issues?q=is%3Aissue+403

Please include the following information:

• from where are you running the provider?
• where is the elasticsearch cluster located?
• can you access the cluster from where the provider is being run with the same credentials using curl?

Note: Issues on this repository are for reporting bugs and feature requests for this provider, not providing support for unique environments. In order to investigate this, a reproducible case should be provided, if that can't be provided, we'll have to close this issue to focus on widely impacting issues.

[sujata2015]

Hello,
I am running the provider when executing Terraform init and apply from my local machine. It is configured to use AWS Cli and respective AWS profile.
ElasticSearch Cluster is located in the same AWS ACCOUNT.
I am able to execute curl command using the same credentials from the same CLI.
Best Regards,
Sujata

[jlyon12345]

Hi @phillbaker I think I am running into this issue as well (or something similar). As far as I can tell what is happening is the provider detects AWS from the url even if you specify a username and password, then tries to authenticate with AWS. This creates some confusion where the provider attempts to use AWS credentials even though they may not be configured properly for that specific opensearch/elasticsearch instance. Could we add a setting to select auth method? The offending line is here: https://github.com/phillbaker/terraform-provider-elasticsearch/blob/master/es/provider.go#L323 I can create a PR if you think this is the appropriate solution, thanks.

[higuita]

I use this to connect to AWS, notice the sign_aws_requests = false , that looks like is required in AWS when using plain username/password

after this, all started to work

provider "elasticsearch" {
  url           = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com:443/"
  kibana_url    = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com/_dashboards"
  sign_aws_requests = false
  username      = "admin"
  password      = data.pass_password.admin_pass.password
  healthcheck  = false
   sniff        = false
}

[phillbaker]

@jlyon12345 sorry for the slow response, but a PR would be great!

…

On Wed, Jan 4, 2023 at 9:58 PM higuita ***@***.***> wrote: I use this to connect to AWS, notice the sign_aws_requests = false , that looks like is required in AWS when using plain username/password after this, all started to work provider "elasticsearch" { url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com:443/" kibana_url = "https://vpc-logs-staging-rnux7f6m.eu-west-1.es.amazonaws.com/_dashboards" sign_aws_requests = false username = "admin" password = data.pass_password.admin_pass.password healthcheck = false sniff = false } — Reply to this email directly, view it on GitHub <#318 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAXCKOU5IQAADJBA7SPUTLWQY2FZANCNFSM6AAAAAAQ5V5HTU> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[rishabhToshniwal]

Facing similar issue when Fine Grain Access Control is enabled for opensearch domain. I tried curl from the same machine and it worked.

curl -k https://vpc-xxx-xxxx.eu-west-1.es.amazonaws.com -u "username:password"

Below is the configuration which I have

provider "elasticsearch" {
  url = "https://vpc-xxx-xxxx.eu-west-1.es.amazonaws.com"
  #sign_aws_requests = false
  aws_region =  var.aws_region
  healthcheck         =  false
  sniff        = false
  username =   username
  password =   password
}

The error I am getting

Error: HTTP 403 Forbidden: Permission denied. Please ensure that the correct credentials are being used to access the cluster.

[vrecan]

@rishabhToshniwal were you able to resolve your issue? I am seeing the same problem. I can curl it manually just fine but I get 403 through the terraform module.

[higuita]

@rishabhToshniwal were you able to resolve your issue? I am seeing the same problem. I can curl it manually just fine but I get 403 through the terraform module.

again, read my comment: #318 (comment)

This works fine for me:

provider "elasticsearch" {
  url                = "https://logs-staging-r...amazonaws.com:443/"
  kibana_url         = "https://logs-staging-r....es.amazonaws.com/_dashboards"
  # SAML and basic user, we do not need aws auth
  # aws_region       = var.aws_region
  # aws_profile      = "staging"
  sign_aws_requests  = false
  username           = "admin"
  password           = data.pass_password.admin_pass.password
   healthcheck       = false
   sniff             = false
}