Amazon Elasticsearch
Overview
A datasource consists of a resource and the credentials used to access it. This guide describes how to add Amazon OpenSearch/Elasticsearch as a datasource in the StrongDM Admin UI using access keys.
Amazon Elasticsearch and Amazon OpenSearch are both supported by StrongDM via this datasource type. We support the following combinations:
Elasticsearch domain with Elasticsearch cluster
OpenSearch domain with Elasticsearch cluster
Opensearch domain with OpenSearch cluster
To add Elasticsearch or OpenSearch as a datasource in the Admin UI, set the following configuration properties. For more information, see our main guide, Add a Datasource.
To use IAM rather than access keys, see the Amazon ES (IAM) page.
Prerequisites
To add a datasource, make sure you have met the following prerequisites:
Properly configure an account for your resource. If you choose to store credentials for the resource with StrongDM, have those credentials ready. When not using StrongDM, set up a Secret Store integration and be able to enter the location of the secrets required to access the resource.
The hostname or endpoint you enter for your resource must be accessible by at least one gateway or relay. To verify this, log in to the gateway or relay and use the
nc -zv <YOUR_HOSTNAME> <YOUR_PORT>Netcat command. For example, usenc -zv testdb-01.fancy.org 5432. If your gateway server can connect to this hostname, you can proceed.
Add a Datasource
To add Amazon ES as a StrongDM resource, use the following steps.
Log in to the StrongDM Admin UI.
Go to Resources > Datasources.
Click Add datasource.
Select Amazon ES as the Datasource Type and set other configuration properties for your new database resource.
Complete all required fields.
Click Create to save the resource.
Click the resource name to view status, diagnostic information, and setting details.
Resource properties
Configuration properties are visible when you add a datasource or when you click to view its settings. The following table describes the settings available for your Amazon ES database.
Display Name
Required
Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Datasource Type
Required
Select Amazon ES
Proxy Cluster
Required
Defaults to "None (use gateways)"; if using proxy clusters, select the appropriate cluster to proxy traffic to this resource
Endpoint
Required
API server endpoint of the resource in the format <ID>.<REGION>.es.amazonaws.com, such as A95FBC180B680B58A6468EF360D16E96.yl4.us-west-2.es.amazonaws.com; StrongDM node should be able to connect to your ES endpoint
Connectivity Mode
Required
Select either Virtual Networking Mode, which lets users connect to the resource with a software-defined, IP-based network; or Loopback Mode, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if Virtual Networking Mode enabled for your organization
IP Address
Optional
If Virtual Networking Mode is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if Loopback Mode is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, 127.0.0.1); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if Virtual Networking Mode and/or multi-loopback mode is enabled for your organization
Port Override
Optional
If Virtual Networking Mode is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if Loopback Mode is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the Port Overrides settings
DNS
Optional
If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, k8s.my-organization-name) instead of the bind address that includes IP address and port (for example, 100.64.100.100:5432)
Region
Required
AWS region (for example, us-east-1)
Secret Store
Optional
Credential store location; defaults to Strong Vault; learn more about Secret Store options
Access Key ID
Required
Access key ID, such as AKIAIOSFODNN7EXAMPLE, from your AWS key pair
Secret Access Key
Required
Secret access key, such as wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, from your AWS key pair
Assume Role ARN
Optional
Role ARN, such as arn:aws:iam::000000000000:role/RoleName, that allows users accessing this resource to assume a role using AWS AssumeRole functionality
Assume Role External ID
Optional
External ID role to assume after login (for example 12345)
Resource Tags
Optional
Datasource Tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)
Secret Store options
By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.
Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.
Resource status
After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.
When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.
Last updated
Was this helpful?