Kibana Fine Grained Access Control - Multiple Kibana Groups

Question

I have different kibana roles set up in AWS Elasticsearch to protect different indices. These kibana roles are mapped to IAM roles, which are mapped to Cognito groups.

My plan was to assign users into the one or more cognito groups and this would grant them access to their respective kibana indices.

However, when I attempt to login with a Cognito token containing multiple elements in the cognito:roles collection, I receive an error: OpenDistro ES: Missing Role No roles available for this user, please contact your system administrator.

Is this expected? The examples only include users that are part of a single cognito group (either limited user or admin). I'm able to log in if I'm part of one cognito group but as soon as I am part of multiple, I receive the error above. I expected to have multiple kibana roles.

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html

https://github.com/aws-samples/amazon-elasticsearch-service-with-cognito/blob/master/lib/search-stack.ts

Answer 1

Apparently that is a design limitation per AWS architect, although it does not help solve my use case:

The ES Fine Grained Access Control is designed to map only one backend role with an IAM role for Cognito token . Will you be able to merge multiple backend roles into one role? ,is this an option? .This will has the benefit of grouping users with the similar needs ,you’ve less number of Cognito groups and IAM roles to manage.

AWS WWCS Geo Solutions Architecture