fix: use open access policy for FGAC-enabled domains

kylehounslow · kylehounslow · commit 268dffa6629f · 2026-04-02T09:35:57.000-07:00
A scoped Principal (account root) blocks basic auth requests to the
Security API, preventing FGAC role mapping. Use open access policy
with Principal: * and let FGAC handle all authorization. Also map
roles to security_manager for PPL permissions.

Signed-off-by: Kyle Hounslow &lt;kylhouns@amazon.com&gt;
diff --git a/aws/cli-installer/src/aws.mjs b/aws/cli-installer/src/aws.mjs
@@ -193,11 +193,14 @@ async function createManagedDomain(cfg) {
   } catch (err) {
     if (err.name !== 'ResourceNotFoundException') throw err;
 
+    // Open access policy — FGAC (fine-grained access control) handles authorization.
+    // A scoped Principal (e.g. account root) blocks basic auth requests, which
+    // prevents the Security API from working for FGAC role mapping.
     const accessPolicy = JSON.stringify({
       Version: '2012-10-17',
       Statement: [{
         Effect: 'Allow',
-        Principal: { AWS: `arn:aws:iam::${cfg.accountId}:root` },
+        Principal: { AWS: '*' },
         Action: 'es:*',
         Resource: `arn:aws:es:${cfg.region}:${cfg.accountId}:domain/${cfg.osDomainName}/*`,
       }],
