[AWS] Elasticsearch — No Permissions for [cluster:monitor/health]

Tony
2 min readMay 17, 2021

After you created a ElasticSearch cluster in AWS services, it is important to check cluster health status from time to time. You can check your Elasticsearch cluster health from AWS console at minimum, and you may want to take one step further to automate the cluster status monitoring.

This article shows you how to check your cluster status properly in AWS console, since by default you don’t have the right permission.

Cluster Health Summary

After you create your ElasticSearch cluster, and if you go to AWS “ElasticSearch” cluster console -> “Cluster health” -> “Summary”, you probably going to see the following:

You can still see the overall health, but just not the summary:

How to Fix

The reason that you couldn’t see the “summary” is due to the IAM user doesn’t have permissions to access the “_cluster/health” endpoint. An easy fix is to log into the Kibana interface, go to “Security” -> “Roles” -> “all_access” -> “Mapped users”, then add your IAM user ARN, for example, mine is (arn:aws:iam::xxxxxx:user/txu) to internal user mapping:

After add the user mapping, you should be able to see the cluster health summary.

Note

The proper way of doing this is to create a new role with only minimum needed permissions, then doing the IAM ARN user mapping, instead of adding it to the overall “all_access”. But everyone’s use case is different, so I will not go into the details of creating a new role. It should be fairly simple.

--

--