I’ve run into this exact 403 issue before when setting up Kinesis-to-ES pipelines—let’s walk through the most common fixes to get your Lambda working properly.

1. Verify Amazon ES Domain Access Policy (Most Common Culprit) #

You’ve configured the Lambda IAM role with ES permissions, but Amazon ES also has its own resource-level access policy that controls who can interact with the domain. If this policy doesn’t explicitly allow your Lambda execution role, you’ll get a 403.

To fix this:

• Go to the Amazon ES/OpenSearch Service console
• Select your domain, then navigate to the Access policy tab
• Add a statement that grants your Lambda role permission to perform es:ESHttpPut and es:ESHttpPost actions on your domain. Here’s an example policy snippet (replace the ARNs with your own):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_LAMBDA_EXECUTION_ROLE_NAME"
      },
      "Action": [
        "es:ESHttpPut",
        "es:ESHttpPost"
      ],
      "Resource": "arn:aws:es:us-east-1:YOUR_ACCOUNT_ID:domain/YOUR_ES_DOMAIN/*"
    }
  ]
}

2. Double-Check Lambda IAM Role Configuration #

While your current role has the right actions, ensure:

• The Resource field in your role’s policy isn’t accidentally restricted (using * is fine for testing, but you can lock it down to your ES domain’s ARN later)
• Your Lambda function is actually using this role (check the Configuration > Permissions tab in the Lambda console)
• The Lambda function is deployed in the same AWS region as your ES domain (your code uses us-east-1—confirm your ES domain is here too)

3. Validate VPC & Security Group Settings #

If your ES domain is configured for VPC access:

• Your Lambda function must be deployed in the same VPC as the ES domain
• The Lambda’s security group must allow outbound traffic to the ES domain’s security group on port 443 (HTTPS)
• The ES domain’s security group must allow inbound traffic from the Lambda’s security group on port 443

If your ES domain is public-facing but your Lambda is in a VPC:

• Ensure your Lambda has access to the internet via a NAT Gateway (otherwise it can’t reach the public ES endpoint)

4. Fix Code Issues That Might Cause Authorization Failures #

• Confirm the ES domain URL: Your host variable must be the full HTTPS endpoint of your ES domain (e.g., https://my-es-domain.us-east-1.es.amazonaws.com). Don’t include a trailing slash—your code’s URL handling will add it correctly.
• Deprecation Note: For ES 7.x+, the document type parameter is deprecated. Replace your type variable with _doc to avoid future issues:

  type = '_doc'
  url = host + '/' + index + '/' + type + '/'
  

• Check AWS4Auth Setup: Ensure the service parameter is set to 'es' (even for Amazon OpenSearch Service, this value remains 'es' for AWS4Auth).

5. Test with a Simplified Request #

To narrow down the issue, try adding a debug print statement to log the awsauth object (only in testing—never expose credentials in production) and test a direct API call to your ES domain using Postman or curl with the same credentials. This will help confirm if the issue is with the Lambda’s authorization or the ES domain itself.

内容的提问来源于stack exchange，提问作者Akhil Kintali