2026/03/09 - Amazon OpenSearch Service - 6 updated api methods
Changes This change enables cross-account and cross-region access for DataSources. Customers can now define access policies on their datasources to allow other AWS accounts to access and query their data.
{'DataSourceAccessPolicy': 'string'}
Adds a new data source in Amazon OpenSearch Service so that you can perform direct queries on external data.
See also: AWS API Documentation
Request Syntax
client.add_direct_query_data_source(
DataSourceName='string',
DataSourceType={
'CloudWatchLog': {
'RoleArn': 'string'
},
'SecurityLake': {
'RoleArn': 'string'
}
},
Description='string',
OpenSearchArns=[
'string',
],
DataSourceAccessPolicy='string',
TagList=[
{
'Key': 'string',
'Value': 'string'
},
]
)
string
[REQUIRED]
A unique, user-defined label to identify the data source within your OpenSearch Service environment.
dict
[REQUIRED]
The supported Amazon Web Services service that you want to use as the source for direct queries in OpenSearch Service.
CloudWatchLog (dict) --
Specifies CloudWatch Logs as a type of data source for direct queries.
RoleArn (string) -- [REQUIRED]
The unique identifier of the IAM role that grants OpenSearch Service permission to access the specified data source.
SecurityLake (dict) --
Specifies Security Lake as a type of data source for direct queries.
RoleArn (string) -- [REQUIRED]
The unique identifier of the IAM role that grants OpenSearch Service permission to access the specified data source.
string
An optional text field for providing additional context and details about the data source.
list
[REQUIRED]
A list of Amazon Resource Names (ARNs) for the OpenSearch collections that are associated with the direct query data source.
(string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
string
An optional IAM access policy document that defines the permissions for accessing the data source. The policy document must be in valid JSON format and follow IAM policy syntax.
list
A list of tags attached to a domain.
(dict) --
A tag (key-value pair) for an Amazon OpenSearch Service resource.
Key (string) -- [REQUIRED]
The tag key. Tag keys must be unique for the domain to which they are attached.
Value (string) -- [REQUIRED]
The value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key value pair in a tag set of project : Trinity and cost-center : Trinity
dict
Response Syntax
{
'DataSourceArn': 'string'
}
Response Structure
(dict) --
DataSourceArn (string) --
The unique, system-generated identifier that represents the data source.
{'dataSources': {'iamRoleForDataSourceArn': 'string'}}
Creates an OpenSearch UI application. For more information, see Using the OpenSearch user interface in Amazon OpenSearch Service.
See also: AWS API Documentation
Request Syntax
client.create_application(
clientToken='string',
name='string',
dataSources=[
{
'dataSourceArn': 'string',
'dataSourceDescription': 'string',
'iamRoleForDataSourceArn': 'string'
},
],
iamIdentityCenterOptions={
'enabled': True|False,
'iamIdentityCenterInstanceArn': 'string',
'iamRoleForIdentityCenterApplicationArn': 'string'
},
appConfigs=[
{
'key': 'opensearchDashboards.dashboardAdmin.users'|'opensearchDashboards.dashboardAdmin.groups',
'value': 'string'
},
],
tagList=[
{
'Key': 'string',
'Value': 'string'
},
],
kmsKeyArn='string'
)
string
Unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique name of the OpenSearch application. Names must be unique within an Amazon Web Services Region for each account.
list
The data sources to link to the OpenSearch application.
(dict) --
Data sources that are associated with an OpenSearch application.
dataSourceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSourceDescription (string) --
Detailed description of a data source.
iamRoleForDataSourceArn (string) --
The ARN of the IAM role to be used for cross account/region data source association.
dict
Configuration settings for integrating Amazon Web Services IAM Identity Center with the OpenSearch application.
enabled (boolean) --
Specifies whether IAM Identity Center is enabled or disabled.
iamIdentityCenterInstanceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
iamRoleForIdentityCenterApplicationArn (string) --
The ARN of the IAM role associated with the IAM Identity Center application.
list
Configuration settings for the OpenSearch application, including administrative options.
(dict) --
Configuration settings for an OpenSearch application. For more information, see Using the OpenSearch user interface in Amazon OpenSearch Service.
key (string) --
The configuration item to set, such as the admin role for the OpenSearch application.
value (string) --
The value assigned to the configuration key, such as an IAM user ARN.
list
A list of tags attached to a domain.
(dict) --
A tag (key-value pair) for an Amazon OpenSearch Service resource.
Key (string) -- [REQUIRED]
The tag key. Tag keys must be unique for the domain to which they are attached.
Value (string) -- [REQUIRED]
The value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key value pair in a tag set of project : Trinity and cost-center : Trinity
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt the application's data at rest. If provided, the application uses your customer-managed key for encryption. If omitted, the application uses an AWS-managed key. The KMS key must be in the same region as the application.
dict
Response Syntax
{
'id': 'string',
'name': 'string',
'arn': 'string',
'dataSources': [
{
'dataSourceArn': 'string',
'dataSourceDescription': 'string',
'iamRoleForDataSourceArn': 'string'
},
],
'iamIdentityCenterOptions': {
'enabled': True|False,
'iamIdentityCenterInstanceArn': 'string',
'iamRoleForIdentityCenterApplicationArn': 'string',
'iamIdentityCenterApplicationArn': 'string'
},
'appConfigs': [
{
'key': 'opensearchDashboards.dashboardAdmin.users'|'opensearchDashboards.dashboardAdmin.groups',
'value': 'string'
},
],
'tagList': [
{
'Key': 'string',
'Value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'kmsKeyArn': 'string'
}
Response Structure
(dict) --
id (string) --
The unique identifier assigned to the OpenSearch application.
name (string) --
The name of the OpenSearch application.
arn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSources (list) --
The data sources linked to the OpenSearch application.
(dict) --
Data sources that are associated with an OpenSearch application.
dataSourceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSourceDescription (string) --
Detailed description of a data source.
iamRoleForDataSourceArn (string) --
The ARN of the IAM role to be used for cross account/region data source association.
iamIdentityCenterOptions (dict) --
The IAM Identity Center settings configured for the OpenSearch application.
enabled (boolean) --
Indicates whether IAM Identity Center is enabled for the OpenSearch application.
iamIdentityCenterInstanceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
iamRoleForIdentityCenterApplicationArn (string) --
The Amazon Resource Name (ARN) of the IAM role assigned to the IAM Identity Center application for the OpenSearch application.
iamIdentityCenterApplicationArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
appConfigs (list) --
Configuration settings for the OpenSearch application, including administrative options.
(dict) --
Configuration settings for an OpenSearch application. For more information, see Using the OpenSearch user interface in Amazon OpenSearch Service.
key (string) --
The configuration item to set, such as the admin role for the OpenSearch application.
value (string) --
The value assigned to the configuration key, such as an IAM user ARN.
tagList (list) --
A list of tags attached to a domain.
(dict) --
A tag (key-value pair) for an Amazon OpenSearch Service resource.
Key (string) --
The tag key. Tag keys must be unique for the domain to which they are attached.
Value (string) --
The value assigned to the corresponding tag key. Tag values can be null and don't have to be unique in a tag set. For example, you can have a key value pair in a tag set of project : Trinity and cost-center : Trinity
createdAt (datetime) --
The timestamp indicating when the OpenSearch application was created.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt the application's data at rest.
{'dataSources': {'iamRoleForDataSourceArn': 'string'}}
Retrieves the configuration and status of an existing OpenSearch application.
See also: AWS API Documentation
Request Syntax
client.get_application(
id='string'
)
string
[REQUIRED]
The unique identifier of the OpenSearch application to retrieve.
dict
Response Syntax
{
'id': 'string',
'arn': 'string',
'name': 'string',
'endpoint': 'string',
'status': 'CREATING'|'UPDATING'|'DELETING'|'ACTIVE'|'FAILED',
'iamIdentityCenterOptions': {
'enabled': True|False,
'iamIdentityCenterInstanceArn': 'string',
'iamRoleForIdentityCenterApplicationArn': 'string',
'iamIdentityCenterApplicationArn': 'string'
},
'dataSources': [
{
'dataSourceArn': 'string',
'dataSourceDescription': 'string',
'iamRoleForDataSourceArn': 'string'
},
],
'appConfigs': [
{
'key': 'opensearchDashboards.dashboardAdmin.users'|'opensearchDashboards.dashboardAdmin.groups',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'kmsKeyArn': 'string'
}
Response Structure
(dict) --
id (string) --
The unique identifier of the OpenSearch application.
arn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
name (string) --
The name of the OpenSearch application.
endpoint (string) --
The endpoint URL of the OpenSearch application.
status (string) --
The current status of the OpenSearch application. Possible values: CREATING, UPDATING, DELETING, FAILED, ACTIVE, and DELETED.
iamIdentityCenterOptions (dict) --
The IAM Identity Center settings configured for the OpenSearch application.
enabled (boolean) --
Indicates whether IAM Identity Center is enabled for the OpenSearch application.
iamIdentityCenterInstanceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
iamRoleForIdentityCenterApplicationArn (string) --
The Amazon Resource Name (ARN) of the IAM role assigned to the IAM Identity Center application for the OpenSearch application.
iamIdentityCenterApplicationArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSources (list) --
The data sources associated with the OpenSearch application.
(dict) --
Data sources that are associated with an OpenSearch application.
dataSourceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSourceDescription (string) --
Detailed description of a data source.
iamRoleForDataSourceArn (string) --
The ARN of the IAM role to be used for cross account/region data source association.
appConfigs (list) --
The configuration settings of the OpenSearch application.
(dict) --
Configuration settings for an OpenSearch application. For more information, see Using the OpenSearch user interface in Amazon OpenSearch Service.
key (string) --
The configuration item to set, such as the admin role for the OpenSearch application.
value (string) --
The value assigned to the configuration key, such as an IAM user ARN.
createdAt (datetime) --
The timestamp when the OpenSearch application was created.
lastUpdatedAt (datetime) --
The timestamp of the last update to the OpenSearch application.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt the application's data at rest.
{'DataSourceAccessPolicy': 'string'}
Returns detailed configuration information for a specific direct query data source in Amazon OpenSearch Service.
See also: AWS API Documentation
Request Syntax
client.get_direct_query_data_source(
DataSourceName='string'
)
string
[REQUIRED]
A unique, user-defined label that identifies the data source within your OpenSearch Service environment.
dict
Response Syntax
{
'DataSourceName': 'string',
'DataSourceType': {
'CloudWatchLog': {
'RoleArn': 'string'
},
'SecurityLake': {
'RoleArn': 'string'
}
},
'Description': 'string',
'OpenSearchArns': [
'string',
],
'DataSourceAccessPolicy': 'string',
'DataSourceArn': 'string'
}
Response Structure
(dict) --
DataSourceName (string) --
A unique, user-defined label to identify the data source within your OpenSearch Service environment.
DataSourceType (dict) --
The supported Amazon Web Services service that is used as the source for direct queries in OpenSearch Service.
CloudWatchLog (dict) --
Specifies CloudWatch Logs as a type of data source for direct queries.
RoleArn (string) --
The unique identifier of the IAM role that grants OpenSearch Service permission to access the specified data source.
SecurityLake (dict) --
Specifies Security Lake as a type of data source for direct queries.
RoleArn (string) --
The unique identifier of the IAM role that grants OpenSearch Service permission to access the specified data source.
Description (string) --
A description that provides additional context and details about the data source.
OpenSearchArns (list) --
A list of Amazon Resource Names (ARNs) for the OpenSearch collections that are associated with the direct query data source.
(string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
DataSourceAccessPolicy (string) --
The IAM access policy document that defines the permissions for accessing the direct query data source. Returns the current policy configuration in JSON format, or null if no custom policy is configured.
DataSourceArn (string) --
The unique, system-generated identifier that represents the data source.
{'dataSources': {'iamRoleForDataSourceArn': 'string'}}
Updates the configuration and settings of an existing OpenSearch application.
See also: AWS API Documentation
Request Syntax
client.update_application(
id='string',
dataSources=[
{
'dataSourceArn': 'string',
'dataSourceDescription': 'string',
'iamRoleForDataSourceArn': 'string'
},
],
appConfigs=[
{
'key': 'opensearchDashboards.dashboardAdmin.users'|'opensearchDashboards.dashboardAdmin.groups',
'value': 'string'
},
]
)
string
[REQUIRED]
The unique identifier for the OpenSearch application to be updated.
list
The data sources to associate with the OpenSearch application.
(dict) --
Data sources that are associated with an OpenSearch application.
dataSourceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSourceDescription (string) --
Detailed description of a data source.
iamRoleForDataSourceArn (string) --
The ARN of the IAM role to be used for cross account/region data source association.
list
The configuration settings to modify for the OpenSearch application.
(dict) --
Configuration settings for an OpenSearch application. For more information, see Using the OpenSearch user interface in Amazon OpenSearch Service.
key (string) --
The configuration item to set, such as the admin role for the OpenSearch application.
value (string) --
The value assigned to the configuration key, such as an IAM user ARN.
dict
Response Syntax
{
'id': 'string',
'name': 'string',
'arn': 'string',
'dataSources': [
{
'dataSourceArn': 'string',
'dataSourceDescription': 'string',
'iamRoleForDataSourceArn': 'string'
},
],
'iamIdentityCenterOptions': {
'enabled': True|False,
'iamIdentityCenterInstanceArn': 'string',
'iamRoleForIdentityCenterApplicationArn': 'string',
'iamIdentityCenterApplicationArn': 'string'
},
'appConfigs': [
{
'key': 'opensearchDashboards.dashboardAdmin.users'|'opensearchDashboards.dashboardAdmin.groups',
'value': 'string'
},
],
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
id (string) --
The unique identifier of the updated OpenSearch application.
name (string) --
The name of the updated OpenSearch application.
arn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSources (list) --
The data sources associated with the updated OpenSearch application.
(dict) --
Data sources that are associated with an OpenSearch application.
dataSourceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
dataSourceDescription (string) --
Detailed description of a data source.
iamRoleForDataSourceArn (string) --
The ARN of the IAM role to be used for cross account/region data source association.
iamIdentityCenterOptions (dict) --
The IAM Identity Center configuration for the updated OpenSearch application.
enabled (boolean) --
Indicates whether IAM Identity Center is enabled for the OpenSearch application.
iamIdentityCenterInstanceArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
iamRoleForIdentityCenterApplicationArn (string) --
The Amazon Resource Name (ARN) of the IAM role assigned to the IAM Identity Center application for the OpenSearch application.
iamIdentityCenterApplicationArn (string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
appConfigs (list) --
The configuration settings for the updated OpenSearch application.
(dict) --
Configuration settings for an OpenSearch application. For more information, see Using the OpenSearch user interface in Amazon OpenSearch Service.
key (string) --
The configuration item to set, such as the admin role for the OpenSearch application.
value (string) --
The value assigned to the configuration key, such as an IAM user ARN.
createdAt (datetime) --
The timestamp when the OpenSearch application was originally created.
lastUpdatedAt (datetime) --
The timestamp when the OpenSearch application was last updated.
{'DataSourceAccessPolicy': 'string'}
Updates the configuration or properties of an existing direct query data source in Amazon OpenSearch Service.
See also: AWS API Documentation
Request Syntax
client.update_direct_query_data_source(
DataSourceName='string',
DataSourceType={
'CloudWatchLog': {
'RoleArn': 'string'
},
'SecurityLake': {
'RoleArn': 'string'
}
},
Description='string',
OpenSearchArns=[
'string',
],
DataSourceAccessPolicy='string'
)
string
[REQUIRED]
A unique, user-defined label to identify the data source within your OpenSearch Service environment.
dict
[REQUIRED]
The supported Amazon Web Services service that you want to use as the source for direct queries in OpenSearch Service.
CloudWatchLog (dict) --
Specifies CloudWatch Logs as a type of data source for direct queries.
RoleArn (string) -- [REQUIRED]
The unique identifier of the IAM role that grants OpenSearch Service permission to access the specified data source.
SecurityLake (dict) --
Specifies Security Lake as a type of data source for direct queries.
RoleArn (string) -- [REQUIRED]
The unique identifier of the IAM role that grants OpenSearch Service permission to access the specified data source.
string
An optional text field for providing additional context and details about the data source.
list
[REQUIRED]
A list of Amazon Resource Names (ARNs) for the OpenSearch collections that are associated with the direct query data source.
(string) --
The Amazon Resource Name (ARN) of the domain. See Identifiers for IAM Entities in Using Amazon Web Services Identity and Access Management for more information.
string
An optional IAM access policy document that defines the updated permissions for accessing the direct query data source. The policy document must be in valid JSON format and follow IAM policy syntax. If not specified, the existing access policy if present remains unchanged.
dict
Response Syntax
{
'DataSourceArn': 'string'
}
Response Structure
(dict) --
DataSourceArn (string) --
The unique, system-generated identifier that represents the data source.