Opensearch support for AWS Auth #2375
Description
🚀 The feature
The current OpenSearch configuration expects you to pass a username and password, but some enterprises require AWS authentication via SAML instead and do not allow basic authentication.
I see that mem0 uses opensearch-py, which supports authentication via AWSV4SignerAuth or AWS4Auth as described here
Motivation, pitch
The current OpenSearch configuration relies on basic authentication (username and password), which poses security and compliance challenges for enterprises that enforce stricter authentication mechanisms. Many organizations mandate AWS authentication via SAML or IAM-based authentication (e.g., AWS SigV4) to ensure seamless integration with their security policies.
Why This Matters:
1. Enterprise Compliance & Security:
• Many organizations prohibit storing or using static credentials for authentication.
• AWS IAM-based authentication (e.g., AWS SigV4) ensures secure, short-lived, and role-based access.
• Supporting AWS authentication would make OpenSearch more compliant with industry security standards.
2. Scalability & Maintainability:
• Managing users and passwords at scale is error-prone and less secure compared to using IAM roles.
• IAM authentication eliminates the need to manually rotate credentials, reducing operational overhead.
• AWS-managed authentication makes it easier to integrate with AWS Organizations, IAM Identity Center (SAML), and federated access control.
3. Seamless AWS Integration:
• Enterprises running OpenSearch on AWS would benefit from native AWS authentication to simplify access management.
• This enables fine-grained access control (FGAC) through IAM policies instead of relying on OpenSearch’s internal user management.
4. Improved Developer Experience:
• Developers would no longer need to manage credentials manually when accessing OpenSearch from AWS Lambda, EC2, ECS, or other AWS services.
• The opensearch-py library already supports AWSV4SignerAuth and AWS4Auth, meaning adding this feature aligns with existing AWS best practices.
Proposed Solution:
• Enhance authentication options by allowing AWS authentication (AWSV4SignerAuth or AWS4Auth) as a first-class feature in OpenSearch configuration.
• Provide a configuration toggle to enable AWS SigV4 authentication instead of requiring static credentials.
• Enable support for role-based access, making OpenSearch a more secure and enterprise-friendly solution.