I’ve created an AWS OpenSearch Serverless (aoss) collection and have assigned a network policy (public) and data policy. I’m following the [examples on ingestion][1] using Python. However, I get a 403 on every request. My example code is:

    from opensearchpy import OpenSearch, RequestsHttpConnection, AWSV4SignerAuth
    import boto3
    
    print(boto3.client('sts').get_caller_identity())

    region = 'ap-southeast-1'
    service = 'aoss'
    session=boto3.Session(region_name=region)
    credentials = session.get_credentials()
    auth = AWSV4SignerAuth(credentials, region, service)

    client = OpenSearch(
        hosts = [{'host': 'a7xskm5hlhw3xxxxxx.ap-southeast-1.aoss.amazonaws.com', 'port': 443}],
        http_auth = auth,
        use_ssl = True,
        verify_certs = True,
        connection_class = RequestsHttpConnection,
        pool_maxsize = 20
    )
    index_name = 'abcdef-index'
    client.indices.get(index_name)

The output of run is:

    $ python opensearch.py 
    {'UserId': 'AIDAXJFYST6QOxxxxxx', 'Account': '500750xxxxxx', 'Arn': 'arn:aws:iam::500750xxxxxx:user/konrads-aoss-test', 'ResponseMetadata': {'RequestId': 'f433ea2d-4a4d-4c8d-bdc6-900f7af4fa1b', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amzn-requestid': 'f433ea2d-4a4d-4c8d-bdc6-900f7af4fa1b', 'content-type': 'text/xml', 'content-length': '414', 'date': 'Thu, 13 Jun 2024 12:27:56 GMT'}, 'RetryAttempts': 0}}

<stack trace skipped>

opensearchpy.exceptions.AuthorizationException: AuthorizationException(403, 'Forbidden')

This suggests that the request to the AWS is authenticated correctly. I able to browse the dashboard and create indices from dev tool when logged in as the AdminSSO role in my browser.

The data policy is:

[
  {
    "Rules": [
      {
        "Resource": [
          "collection/*"
        ],
        "Permission": [
          "aoss:CreateCollectionItems",
          "aoss:DeleteCollectionItems",
          "aoss:UpdateCollectionItems",
          "aoss:DescribeCollectionItems",
          "aoss:*"
        ],
        "ResourceType": "collection"
      },
      {
        "Resource": [
          "index/konradstest/*"
        ],
        "Permission": [
          "aoss:CreateIndex",
          "aoss:DeleteIndex",
          "aoss:UpdateIndex",
          "aoss:DescribeIndex",
          "aoss:ReadDocument",
          "aoss:WriteDocument",
          "aoss:*"
        ],
        "ResourceType": "index"
      }
    ],
    "Principal": [
      "arn:aws:iam::500750xxxxxx:user/konrads-aoss-test",
      "arn:aws:iam::500750xxxxxx:role/AdminSSO"
    ],
    "Description": "allow-test-access"
  }
]

Any help appreciated
[1]: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/serverless-clients.html#serverless-python