Skip to content

feat: Add AWS SigV4 authentication support for OpenSearch and OpenSearch Serverless #357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MgeeeeK wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add AWS SigV4 authentication support for OpenSearch and OpenSearch Serverless #357

MgeeeeK wants to merge 2 commits into from

Conversation

@MgeeeeK
Copy link

@MgeeeeK MgeeeeK commented Oct 24, 2025

Summary

This PR adds support for authenticating to Amazon OpenSearch Service and Amazon OpenSearch Serverless (AOSS) using AWS SigV4 signing with IAM credentials.

Changes

  • New: OpensearchAwsAuthConfigurator implementing SPI interfaces for AWS authentication
  • Dependencies: Added AWS SDK dependencies (auth, regions, sts, http-auth-aws) and aws-request-signing-apache-interceptor
  • Enhancement: Updated RequestBuilder to handle AOSS requirement (no explicit document IDs)
  • Registration: Registered AWS auth configurator in META-INF service loader files

Features

The implementation supports multiple credential sources via AWS SDK's DefaultCredentialsProvider chain:

  • IAM Roles for Service Accounts (IRSA) in Kubernetes/EKS
  • Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  • EC2 instance profiles
  • AWS profiles

Configuration

New connector configuration properties:

  • aws.auth.region: AWS region for SigV4 signing (e.g., us-west-2) - Required
  • aws.auth.service.name: Service name for SigV4 signing - es for OpenSearch Service or aoss for OpenSearch Serverless - Required

Example Configuration

{
  "connection.url": "https://search-domain.us-west-2.es.amazonaws.com",
  "aws.auth.region": "us-west-2",
  "aws.auth.service.name": "es"
}

Testing

Tested with:

  • Amazon OpenSearch Service (managed ES)
  • Amazon OpenSearch Serverless (AOSS)
  • IRSA authentication in EKS

Notes

  • AOSS requires documents to be indexed without explicit IDs, which is handled automatically when aws.auth.service.name=aoss
  • The implementation uses the standard AWS SDK credential provider chain, making it compatible with various deployment environments

@MgeeeeK
feat: Add AWS SigV4 authentication support for OpenSearch and OpenSea…
49cf5a5 
…rch Serverless

This commit adds support for authenticating to Amazon OpenSearch Service and
Amazon OpenSearch Serverless (AOSS) using AWS SigV4 signing with IAM credentials.

Changes:
- Add OpensearchAwsAuthConfigurator implementing SPI interfaces for AWS auth
- Add AWS SDK dependencies (auth, regions, sts, http-auth-aws)
- Add aws-request-signing-apache-interceptor for HTTP request signing
- Update RequestBuilder to handle AOSS (no explicit document IDs)
- Register AWS auth configurator in META-INF services

The implementation supports:
- IAM Roles for Service Accounts (IRSA) in Kubernetes
- Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
- EC2 instance profiles
- AWS profiles via DefaultCredentialsProvider chain

Configuration:
- aws.auth.region: AWS region (e.g., us-west-2)
- aws.auth.service.name: Service name ("es" or "aoss")
@MgeeeeK MgeeeeK requested a review from a team as a code owner October 24, 2025 02:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MgeeeeK