Skip to main content
Last updated: 6 Jun 2024

Manage OpenSearch on AWS

AWS OpenSearch is an open source, distributed search and analytics suite derived from Elasticsearch.

Access OpenSearch Dashboard

We typically can’t access an OpenSearch dashboard with the URL provided in the AWS console because the endpoint is in a private subnet in a virtual private cloud (VPC). Therefore to access it we need to configure our system to tunnel into the subnet in the VPC.


  1. Access to a GOV.UK EKS cluster with admin role permissions has been configured and established.

  2. The krelay kubectl plugin and jq command have been installed.

    brew install knight42/tap/krelay jq

Connect to the OpenSearch Dashboard

  1. List OpenSearch domain names:

    aws opensearch list-domain-names | jq -r '.DomainNames[]|.DomainName'
  2. Get OpenSearch host name for the OpenSearch Domain you want to access (e.g. for chat-engine):

    OPENSEARCH_URL=$(aws opensearch describe-domain --domain-name chat-engine | jq -r '.DomainStatus.Endpoints.vpc')
  3. Forward the OpenSearch HTTPS port to your local machine:

    kubectl relay host/$OPENSEARCH_URL 4443:443
  4. The OpenSearch Dashboard web interface username and password for each environment can be found in AWS Secrets Manager. To find the opensearch secret name, use the command:

    aws secretsmanager list-secrets | jq -r '.SecretList[]|select(.Name|contains("opensearch"))|.Name'
  5. Get the credentials from Secrets Manager and display them on screen (e.g. for govuk/govuk-chat/opensearch):

    aws secretsmanager get-secret-value --secret-id govuk/govuk-chat/opensearch | jq -r '.SecretString| tostring' | jq
  6. Open https://localhost:4443/_dashboards in your browser. The TLS certificate will not match localhost, so navigate past the certificate warnings. In Chrome, you can set chrome://flags/#allow-insecure-localhost if you prefer.

  7. Enter the username and password credentials obtained from Secrets Manager to log into the dashboard.