I have an AWS ElasticSearch Service Domain running in a VPC that I’m trying to connect to from Grafana which is running as an ECS Task in an ECS Cluster within the same VPC. I’ve given the ECS Task a Task IAM Role which has the AmazonESFullAccess IAM role attached to it and I’ve set the access policy on my ElasticSearch to
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<TaskRoleArn>"
},
"Action": "es:*",
"Resource": "<AWSElasticSearchDomainARN>/*"
}
]
}
When I try to add the ElasticSearch endpoint as a data source in Grafana I receive a 403 error and the response says
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet"}
which leads me to believe Grafana isn’t assuming the IAM Role when making the request for some reason.
Is there some way to make Grafana assume an IAM Role when communicating with an AWS ElasticSearch Service Domain, or another way to connect it as a datasource?