aws-es-proxy is a small web server application sitting between your HTTP client (browser, curl, etc...) and Amazon Elasticsearch service.
Switch branches/tags
Clone or download
abutaha Merge pull request #26 from dlackty/homebrew
Add homebrew installation. Close #22
Latest commit f2d32b0 Apr 15, 2018


aws-es-proxy is a small web server application sitting between your HTTP client (browser, curl, etc...) and Amazon Elasticsearch service. It will sign your requests using latest AWS Signature Version 4 before sending the request to Amazon Elasticsearch. When response is back from Amazon Elasticsearch, this response will be sent back to your HTTP client.

Kibana requests are also signed automatically.


Download binary executable

aws-es-proxy has single executable binaries for Linux, Mac and Windows.

Download the latest aws-es-proxy release.

Via homebrew

brew install aws-es-proxy

Build from Source


#requires go1.5
mkdir -p $GOPATH/src/
cd $GOPATH/src/
git clone
cd aws-es-proxy
glide install
go build

Configuring Credentials

Before using aws-es-proxy, ensure that you've configured your AWS IAM user credentials. The best way to configure credentials on a development machine is to use the ~/.aws/credentials file, which might look like:

aws_access_key_id = AKID1234567890
aws_secret_access_key = MY-SECRET-KEY

Alternatively, you can set the following environment variables:

export AWS_ACCESS_KEY_ID=AKID1234567890

aws-es-proxy also supports IAM roles. To use IAM roles, you need to modify your Amazon Elasticsearch access policy to allow access from that role. Below is an Amazon Elasticsearch access policy example allowing access from any EC2 instance with an IAM role called ec2-aws-elasticsearch.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::012345678910:role/ec2-aws-elasticsearch"
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-1:012345678910:domain/test-es-domain/*"

Usage example:

./aws-es-proxy -endpoint
Listening on

aws-es-proxy listens on if no additional argument is provided. You can change the IP and Port passing the argument -listen

./aws-es-proxy -listen :8080 -endpoint ...
./aws-es-proxy -listen -endpoint ...

By default, aws-es-proxy will not display any message in the console. However, it has the ability to print requests being sent to Amazon Elasticsearch, and the duration it takes to receive the request back. This can be enabled using the option -verbose

./aws-es-proxy -verbose ...
Listening on
2016/10/31 19:48:23  -> GET / 200 1.054s
2016/10/31 19:48:30  -> GET /_cat/indices?v 200 0.199s
2016/10/31 19:48:37  -> GET /_cat/shards?v 200 0.196s
2016/10/31 19:48:49  -> GET /_cat/allocation?v 200 0.179s
2016/10/31 19:49:10  -> PUT /my-test-index 200 0.347s

For a full list of available options, use -h:

./aws-es-proxy -h
Usage of ./aws-es-proxy:
  -endpoint string
        Amazon ElasticSearch Endpoint (e.g:
  -listen string
        Local TCP port to listen on (default "")
        Log user requests and ElasticSearch responses to files
        Disable AWS Signature v4
        Prettify verbose and file output
        Print user requests


There is an official docker image avaiable for aws-es-proxy. To run the image:

# Prints usage info (-h)
docker run --rm -it abutaha/aws-es-proxy

# Runs with custom command/args
docker run --rm -it abutaha/aws-es-proxy ./aws-es-proxy -endpoint

To expose a port number other than the default 9200, pass an environment variable of PORT_NUM to docker with the port number you wish to expose for your service.

Using HTTP Clients

After you run aws-es-proxy, you can now open your Web browser on http://localhost:9200. Everything should be working as you have your own instance of ElasticSearch running on port 9200.

To access Kibana, use http://localhost:9200/_plugin/kibana/