I'm trying to create an OpenSearch index using AWS CloudFormation without employing a Lambda function. I've been looking at an older AWS sample repository, which uses a Lambda along with a service role for API access to the specified index. However, I'm only focused on the knowledge base aspect right now. When I attempt to set up the index using `AWS::Opensearch Serverless::Index`, I keep getting an access denied error. I suspect the issue might be related to permissions rather than my AWS user or profile. Would I need to use a specific role instead? Also, this particular repo is outdated—could that affect things? My configuration is almost the same as in the repository, except I'm skipping a Lambda function meant for creating the index.
4 Answers
It seems like you're focused on a Lambda's role when setting up this index. If that's the only way you've seen it done, it's understandable to question it, but it’s not the only route anymore. Just ensure that the role used by your CloudFormation stack is explicitly allowed in your collection's access policy to avoid access denied errors. The repo may have just suggested Lambda for smoother operation and stricter permission control, but it’s not mandatory now!
I get where you're coming from wanting to skip the Lambda step! Just make sure your roles and permissions are all lined up correctly. If the stack execution role isn't listed correctly in your collection's access policy, that's where your access denied error is coming from. It’s totally doable without a Lambda if you set up your policies right!
Thanks for the clarification! I’ll dive into those policies now.
Short answer is yes, you can use CloudFormation's OSS Index resource type. But as you mentioned, access denied errors usually stem from permission issues, not the lack of a Lambda. Make sure the role in your stack is given the necessary rights in the access policy for the collection. And yeah, I wouldn’t recommend OpenSearch Serverless for heavy or frequent usage since costs can really add up.
You're running into a permissions issue rather than a limitation with CloudFormation itself. OpenSearch indexes in serverless mode require that the executing role has proper permissions defined in the collection's access policy. So, check your stack's execution role and ensure it's permitted at the index level. You don’t necessarily need a Lambda for this, but it’s essential to have a proper role set up to create the index without errors.
Exactly! Plus, I'd be cautious about OpenSearch Serverless as it can get pricey quickly, especially for lighter tasks!