AWS IAM Role Based authentication for Elasticsearch

[nick Chao]

Hi, i'm looking for some details on role-based authentication for Elasticsearch. Specifically, what are the supported versions and if there is any support (currently or planned) for Opensearch.

Real-world problem:

- I would like to use an external elasticsearch rather than the local lucene index which is easily configurable in application.yaml with a username and password access. However, my elasticsearch is deployed via AWS managed opensearch (running version 7.10.2) and role-based authentication is a requirement as opposed to just username+password. I noticed a merge on September 9th that seems to allow this, however no documentation seems to be available: https://github.com/hapifhir/hapi-fhir/pull/4011

Server version: latest

What steps have you tried already:

- using aws-es-proxy to handle the authentication. This presumably works on elasticsaerch version 7.17.0 (seeing as the ES Java client used by the FHIR server is 7.17.0), however I'd prefer to use AWS managed service which only supports up to version 7.10.

So the meat of my questions based on the context above:

- Where can i find documentation on how to use and configure the role-based access for elasticsearch?

- What are the supported versions of elasticsaerch for role-based access?

- Is there any support (currently or planned) for Opensearch?

Thank you,

-Nick

[nick Chao]

One more detail about "What steps have you tried already": Using aws-es-proxy on elasticsearch version 7.10.0 gave us a "Invalid or mismatched build flavor [oss]" error, which is due to the java elasticsearch client version being 7.17.0 which does not support the oss build flavor that comes with AWS managed elasticsearch