Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opensearch support for AWS Auth #2375

Open
mauricioalarcon opened this issue Mar 13, 2025 · 1 comment
Open

Opensearch support for AWS Auth #2375

mauricioalarcon opened this issue Mar 13, 2025 · 1 comment

Comments

@mauricioalarcon
Copy link
Contributor

🚀 The feature

The current OpenSearch configuration expects you to pass a username and password, but some enterprises require AWS authentication via SAML instead and do not allow basic authentication.

I see that mem0 uses opensearch-py, which supports authentication via AWSV4SignerAuth or AWS4Auth as described here

Motivation, pitch

The current OpenSearch configuration relies on basic authentication (username and password), which poses security and compliance challenges for enterprises that enforce stricter authentication mechanisms. Many organizations mandate AWS authentication via SAML or IAM-based authentication (e.g., AWS SigV4) to ensure seamless integration with their security policies.

Why This Matters:
1. Enterprise Compliance & Security:
• Many organizations prohibit storing or using static credentials for authentication.
• AWS IAM-based authentication (e.g., AWS SigV4) ensures secure, short-lived, and role-based access.
• Supporting AWS authentication would make OpenSearch more compliant with industry security standards.
2. Scalability & Maintainability:
• Managing users and passwords at scale is error-prone and less secure compared to using IAM roles.
• IAM authentication eliminates the need to manually rotate credentials, reducing operational overhead.
• AWS-managed authentication makes it easier to integrate with AWS Organizations, IAM Identity Center (SAML), and federated access control.
3. Seamless AWS Integration:
• Enterprises running OpenSearch on AWS would benefit from native AWS authentication to simplify access management.
• This enables fine-grained access control (FGAC) through IAM policies instead of relying on OpenSearch’s internal user management.
4. Improved Developer Experience:
• Developers would no longer need to manage credentials manually when accessing OpenSearch from AWS Lambda, EC2, ECS, or other AWS services.
• The opensearch-py library already supports AWSV4SignerAuth and AWS4Auth, meaning adding this feature aligns with existing AWS best practices.

Proposed Solution:
• Enhance authentication options by allowing AWS authentication (AWSV4SignerAuth or AWS4Auth) as a first-class feature in OpenSearch configuration.
• Provide a configuration toggle to enable AWS SigV4 authentication instead of requiring static credentials.
• Enable support for role-based access, making OpenSearch a more secure and enterprise-friendly solution.
mauricioalarcon added a commit to mauricioalarcon/mem0 that referenced this issue Mar 13, 2025
@mauricioalarcon
Add test for OpenSearchDB http_auth initialization
542476a 
This commit introduces a new test validating the initialization of `OpenSearchDB` with `AWSV4SignerAuth` for HTTP authentication. Additionally, it updates the `poetry.lock` file to reflect dependencies changes with Poetry 2.1.1.

Related to mem0ai#2375
@mauricioalarcon mauricioalarcon mentioned this issue Mar 13, 2025
Closed
18 tasks
@mauricioalarcon
Copy link
Contributor Author

I've just opened this PR with a possible fix for this #2376

@mauricioalarcon mauricioalarcon mentioned this issue Mar 19, 2025
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mauricioalarcon