[simonvdv]

We ran into the access control limitations as well. They are caused by the fact that for some reason AWS ES only supports resource based policies which is imho the wrong way around to manage your policies.

We did get it to work in a useable manner by having the ES policy apply to a role (i.e. the principal is a role). If you than apply that role to your instances it will work for with instance profile based auth.

[willejs]

Thats exactly what i was doing with the elasticsearch plugin for logstash, but i still couldent figure out how to auth vanilla http requests to it from kibana or the like... Then i decided id wasted way too much time on this, and would just build it myself. Other services such as bonzai support basic auth which i would have almost preferred :/

[steeef]

I was able to use the code mentioned in this AWS forum post to configure a proxy using node.js: https://forums.aws.amazon.com/thread.jspa?threadID=218214

Code: https://gist.github.com/nakedible-p/ad95dfb1c16e75af1ad5

Looks like it's been turned into an NPM-installable module too: https://github.com/santthosh/aws-es-kibana

[simonvdv]

We're using this logstash output plugin at the moment https://github.com/awslabs/logstash-output-amazon_es together with the instance profile based permission it works as it should.

We are considering switching to the normal logstash-output-es plugin together with a AWS v4 auth signing proxy to make the setup more portable/less tied to AWS. I have a basic signing proxy setup working based on nginx/openresty. If you're interested just let me know.