Rolemapped backend_role doesn't have assigned permissions

I’ve got a backend role (iam role from aws), let’s call it my-role
I’ve mapped the predefined role readall_and_monitor to backend_role my-role
Double checking the permissions of readall_and_monitor shows that it has the action group cluster_composite_ops_ro which includes the allowed action indices:admin/aliases/get*. I should note that the actiongroup and role are both predefined and have not been modified.

However, when I make a request to {my-cluster}/_cat/aliases?format=json&h=alias
I get the below error, when the user explicitly does have that permission:

"type": "security_exception",
"reason": "no permissions for [indices:admin/aliases/get] 
           and User [name=arn:aws:iam::*:role/my-role, 

I would assume that [indices:admin/aliases/get*] would include [indices:admin/aliases/get]

to verify, I got the current settings, and responses were:

GET .../rolesmapping
"readall_and_monitor": {
   "backend_roles": [
GET .../roles
"readall_and_monitor": { ...
   "cluster_permissions": [
   "index_permissions": [{
      "index_patterns": [ "*" ],
      "fls": [], "masked_fields": [],
      "allowed_actions": [ "read", "indices_monitor" ]
   }], "tenant_permissions": [], ...
GET .../actiongroups
"cluster_composite_ops_ro": {
   "allowed_actions": [
      "indices:data/read/mget",      "indices:data/read/msearch",
      "indices:data/read/mtv",       "indices:admin/aliases/exists*",
      "indices:admin/aliases/get*",  "indices:data/read/scroll"
   "type": "cluster",
   "description": "Allow readonly bulk and m* operations",
   "static": false

from the above 3 requests, it looks like the user should have the required permissions that the error message says it doesn’t have.

@hmw The permission seems to be on the index level, So in order to rectify this, you can either create a copy of the readall_and_monitor and under index permission add indices:admin/aliases/get and only map to this role, as below:

or leave the mapping the way it is and also map to a new role with this one permission.

1 Like

Thanks, that worked. I was under the mistaken impression that the indices:admin indexes were cluster ops, since they are not data indices.

This also indicates that the cluster_composite_ops_ro actiongroup and readall_and_monitor role are inherently broken, out of the box.