# OpenSearch

## Prerequisites

* You are an admin to the OpenSearch domain/collection.
* The OpenSearch instances are network accessible to the environment in which Teleskope is deployed.

## Supported Authentication Methods

1. Username / Password (Basic Auth)
2. AWS IAM

***

{% stepper %}
{% step %}

## Create OpenSearch users

#### Option 1: Basic Auth

1. Create a user in OpenSearch (Settings → Security → Internal Users):
   1. Username: `teleskope_ro`
   2. Password: `{secure_password}` 
2. Assign the new user to a role
   1. The existing role `readall`  has the appropriate permissions.
   2. To scope down by index, create a custom role with index filters, and apply the cluster permissions `cluster_composite_ops_ro` .
   3. Go to mapped users, and add the new internal user.

#### Option 2: IAM Auth

1. See [aws](https://docs.teleskope.ai/connectors/aws "mention"), and add the Teleskope role to the target accounts if it does not exist.
2. Attach the **`AmazonOpenSearchServiceReadOnlyAccess`** IAM Policy to the role, or scope it down to select resources:

   ```
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
             "es:Describe*",
             "es:List*",
             "es:Get*"
         ],
         "Resource": "*"
       }
     ]
   }
   ```
3. Assign the **backend user** a role in OpenSearch (Settings → Security → Roles):
   1. Edit `readall`  or your custom permission.
   2. Go to mapped users, and add the backend role by ARN (e.g. `arn:aws:iam::{origin_aws_account_id}:role/system/TeleskopeRole` ).
      {% endstep %}

{% step %}

## Enroll OpenSearch in Teleskope

1. Gather the following details for your OpenSearch instance:
   1. Endpoint
   2. Region
   3. Provider
2. Select the authentication method
3. Supply the credentials:
   1. **Basic Auth:** enter the username/password.
   2. **IAM Auth:** select the AWS account where the OpenSearch instance & IAM role belongs.
      {% endstep %}
      {% endstepper %}