boto3: InvalidTypeException when attempting to set access policies through update_elasticsearch_domain_config

Anytime i try to update the access policies through update_elasticsearch_domain_config, i get the following error:

botocore.exceptions.ClientError: An error occurred (InvalidTypeException) when calling the UpdateElasticsearchDomainConfig operation: Error setting policy: [{"Sid":"fsasaafffff","Effect":"Allow","Principal":{"AWS":"*"},"Action":"es:*","Resource":"arn:aws:es:us-west-2:XXXXXXXXX:domain/int-XXXXXX-XXXXX/*"}]}}]

It isn’t the policy that seems to be the error, since i can set the exact same policy through awscli or the ui. Which leads me to believe i am passing it incorrectly somehow. I have tried every combination of storing it as a file, minified, unminifed, passing it in directly as a raw string, doing a json.dumps on it first, etc.

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 20 (3 by maintainers)

Most upvoted comments

For posterity I also had a similar issue and turned out I was referring to an IAM role that didn’t exist in the policy.

Not obvious at all from the “InvalidTypeException” exception message 😦

+7
thesurlydev on Jul 2, 2018

I can successfully execute update_elasticsearch_domain_config API from boto3 and CLI as follows.

boto3

version : Boto3/1.2.5 Python/2.7.10 Darwin/15.3.0 Botocore/1.3.30

One thing to note is that you have to pass policy as strings not as JSON(dict).

import json
import boto3

#boto3.set_stream_logger(name='botocore') # for debugging
client = boto3.client('es')
access_policy = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-northeast-1:123456789012:domain/foo/*"
    }
  ]
}

client.update_elasticsearch_domain_config(
  DomainName='foo',
  AccessPolicies=json.dumps(access_policy)
)

AWS CLI

$ aws --version
aws-cli/1.10.8 Python/2.7.10 Darwin/15.3.0 botocore/1.3.30
$ cat access.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-northeast-1:123456789012:domain/foo/*"
    }
  ]
}

$ aws es update-elasticsearch-domain-config --domain-name foo --access-policies file://access.json
...  UPDATED POLICIES WILL BE RETURNED
+3
quiver on Feb 27, 2016
Read more comments on GitHub
← boto3: ImportError: cannot import name ReadTimeoutError when trying to create s3 client
boto3: KeyError: 'endpoint_resolver' →