es:CreateElasticsearchServiceRole missing from Elasticsearch service actions

[andywickersham]

The Elasticsearch documentation is missing the "es:CreateElasticsearchServiceRole" action which is required when creating a new Elasticsearch domain.

Documentation URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticsearchservice.html

[jsoncow]

Hi Andy!

To create a ServiceRole for Elasticsearch, this is tied to the IAM action iam:CreateServiceLinkedRole.

It's interesting. There is es:DeleteElasticsearchServiceRole for a manual deletion of the ES Service Role, but the create is handled by an API action that falls under the broader IAM service umbrella.

https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/slr-es.html

[andywickersham]

This is the CloudTrail error:
User: arn:aws:sts::[ACCOUNT ID]:assumed-role/SecurityOperations/[USER] is not authorized to perform: es:CreateElasticsearchServiceRole on resource: arn:aws:es:us-east-1:[ACCOUNT ID]:domain/*

This is the IAM policy statement that fixed it:
Sid: AllowESRoleCreate Effect: Allow Action: es:CreateElasticsearchServiceRole Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/*/*'

[jsoncow]

Interesting!

You're right. I see it in my CloudTrail as well now.

@aws, this should be fixed in the ES User Guide as well. https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/slr-es.html

[bonniekeller]

Thank you for bringing this to our attention. The information on this page https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticsearchservice.html is generated automatically with information provided by the Elastic Search team. I've cut the Elastic Search service team a ticket to review your issue. Someone from the service team will get back to you about this issue.