AWS

Creating a Read-Only User with Dashboard Access in AWS OpenSearch

Learn to create a read-only user in AWS OpenSearch for secure dashboard access. Configure user roles with restricted permissions, link them to OpenSearch Dashboards, and ensure users can view but not modify data, maintaining secure and efficient data visualization.

Creating a Read-Only User with Dashboard Access in OpenSearch

Introduction

This document outlines the steps to create a user with read-only permissions in OpenSearch. This user can access dashboards but is restricted from performing any data modification tasks.

Prerequisites

  • Access to OpenSearch with administrative privileges.
  • OpenSearch Dashboards configured and running.
  • Security plugin enabled in OpenSearch (e.g., OpenSearch Security or equivalent).

Steps to Create the User

  1. Log in to OpenSearch Dashboards

Open the OpenSearch Dashboards URL in your browser and log in using an administrative account.

 

  1. Create a Role with Read-Only Permissions

 

  •   Navigate to Security > Roles.
  •   Click Create Role and configure the following:
  •      Role Name: read-only
  •      Cluster Permissions: indices:/data/read/mget

 

  • Index Permissions:
  •   Add index permissions
  •   In index add (.kibana_1)
  •   In index permissions Assign the read

 

  •      Tenant permissions:
  • In Tenant section add private_copy  assign (read_only)

 

  • Save the role.
  • Create it

 

  1. Create the User
  • Navigate to Security > Users.
  • Click Create User and provide the following details:
  • Username: read_logs
  • Password: A strong password.
  • Save changes, create it.

 

  1. Map the User to the Role
     
  • Under the selected role(readonly_user), navigate to the Mapped Users tab.
  • Click on Manage Mappings.
  • In the Map Users section, perform the following steps:
  •  Map a User: Add the username of the user to grant read-only access (e.g., readonly_user).

 

 

 

 

  1. Login the mapped users with (read_only dashboard privileges)

 

  • Go to URL and add username: (read_logs) and passwords: ()     
  •  Choose custom template (private_copy)                                         

 

 

 

 

  • Showing the dashboard read_only