# Setting Up OpenSearch User Permissions for an AWS Role

If you're using AWS OpenSearch in your Immuta installation, use this how-to to set up the proper access and permissions needed for AWS role authentication.

## Requirements

* An OpenSearch domain
* The user setting up the permissions must have the following permissions:
  * Administrative access to your AWS account
  * Master user on your OpenSearch domain

## Create an IAM role for Immuta audit

Create an AWS IAM role that Immuta will assume to send audit events to your OpenSearch domain.

1. [Create an AWS IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) with credentials using the [AWS SDK's default credential provider chain](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/setting-credentials-node.html). This method requires a configured [IAM role for a service account (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). Contact your Immuta representative to customize your deployment and set up an IAM role for a service account that can give Immuta the credentials to set up the integration.
2. Create the [access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-identity) for this role. It should include at least the permissions provided in the example below, but might need additional permissions depending on other local setup factors. You can find the full list of permissions in the AWS docs on the [AWS actions, resources, and condition keys page](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html).\
   \
   Note: If you use this example, replace the **content in angle brackets** with your region, AWS account ID, and domain**.**

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "es:ESHttpDelete",
                "es:ESHttpGet",
                "es:ESHttpHead",
                "es:ESHttpPatch",
                "es:ESHttpPost",
                "es:ESHttpPut",
                "es:DescribeDomains",
                "es:ListDomainNames"
            ],
            "Resource": "arn:aws:es:<region>:<Your AWS Account ID>:domain/<your-domain>/*"
        }
    ]
}
```

3. Name the role and save.

## Set up domain access policy

Amazon OpenSearch Service domains are controlled by a [resource-based access policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types) that determines which IAM users or roles can connect to the domain and perform operations.

1. Follow [AWS documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types) for updating a resource-based policy. Immuta supports two options for domain access:
   1. **Only use fine-grained access control**: If you select this option, no additional actions are required this step.
   2. **Configure domain access policy**:
      1. Edit the access policy to allow the role OpenSearch access and management operations. Grant your AWS IAM `es:*` through a [resource-based policy](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types-resource).\
         Note: If you use this example, replace the **content in angle brackets** with your region, AWS account ID, and domain.

         ```json
         {
             "Version": "2012-10-17",
             "Statement": [
                 {
                     "Effect": "Allow",
                     "Principal": {
                         "AWS": "arn:aws:iam::<Your AWS Account ID>:role/ImmutaAuditRole"
                     },
                     "Action": "es:*",
                     "Resource": "arn:aws:es:<region>:<Your AWS Account ID>:domain/<your-domain>/*"
                 }
             ]
         }
         ```
2. Save your changes.

### Configure OpenSearch permissions

In the OpenSearch console, you must create or edit a role that grants Immuta’s IAM role access to the appropriate cluster and index permissions.

1. Follow [AWS documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html#ac-types) for creating a new OpenSearch role for your audit IAM role.
2. [Grant the following permissions](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-access-control) to the new role.
   1. Cluster-level permissions:

      ```
      cluster:monitor/health
      indices:data/write/bulk*
      indices:data/write/bulk
      indices:monitor/settings/get
      indices:data/read/scroll
      indices:data/read/scroll/clear
      ```
   2. Index-level permissions for `*` index:

      ```
      indices:admin/aliases
      indices:admin/aliases*
      indices:data/read/search
      indices:admin/exists
      indices:admin/create
      indices:admin/delete
      indices:admin/settings/update
      indices:admin/get
      indices:data/write/delete/byquery
      indices:data/write/index
      indices:admin/mapping/put
      indices:data/write/bulk
      indices:data/write/bulk*
      indices:monitor/settings/get
      indices:data/write/delete
      indices:data/read/scroll
      indices:data/read/scroll/clear
      indices:admin/refresh
      indices:admin/refresh*
      ```

### Map the IAM role to the OpenSearch role

Once the IAM role is created and OpenSearch permissions are updated, allow the role to assume permissions inside OpenSearch.

1. Follow [AWS documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-access-control) for updating a backend role in OpenSearch.
2. Select the OpenSearch role created for Immuta audit access.
3. Under **Backend roles**, add the ARN of your IAM role:

   ```
   arn:aws:iam::<Your AWS Account ID>:role/ImmutaAuditRole
   ```
4. Save your changes.

## Optionally create a trust relationship

If Immuta is deployed in an AWS account that is different than OpenSearch, then you must configure a trust relationship between the Immuta role and an OpenSearch role. Follow [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html) for creating IAM policies in the Amazon S3 console.

Once configured set `SEARCH_AWS_ROLE_ARN` with the role for Immuta to assume in the `immuta-values.yaml`.

After these steps are complete, your audit role should have the required permissions, and you can [complete the Immuta install](https://documentation.immuta.com/latest/configuration/self-managed-deployment/install/managed-public-cloud) using the IAM role.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/latest/configuration/self-managed-deployment/configure/opensearch-authentication/setting-up-opensearch-user-permissions-for-an-aws-role.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.