Aws ElasticSearch未从Lambda where访问,而是从本地主机访问

nuypyhwy  于 2023-01-20  发布在  ElasticSearch
关注(0)|答案(2)|浏览(500)

我在AWS中部署了一个ElasticSearch示例,可以通过脉冲访问。我可以轻松地在localhost上查询数据,但当我在AWS lambda上部署时,我收到以下错误
消息:“用户:arn:aws:sts::xxxxxxxx:假定角色/基础设施开发人员-us-east-2-lambda角色/zeong-immigration-基础设施开发人员-app未被授权执行以下操作:es:ESHttpPost,因为没有基于身份的策略允许es:ESHttpPost操作'
这是我的博客

iamRoleStatements:
      - Effect: Allow
      Action:
        - es:ESHttpPost
        - es:ESHttpPut
        - es:ESHttpDelete
        - es:ESHttpGet
      Resource:
        - {'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn']}
        - {
            'Fn::Join':
              [
                '',
                [
                  'Fn::GetAtt': ['ElasticSearchInstance', 'DomainArn'],
                  '/*',
                ],
              ],
          }
      Condition:
        IpAddress:
          aws:SourceIp:
            - '0.0.0.0' # Whitelisted IP
  resources:
   Resources:
    ElasticSearchInstance:
      Type: AWS::Elasticsearch::Domain
      Properties:
        EBSOptions:
          EBSEnabled: true
          VolumeType: gp2
          VolumeSize: 10
        ElasticsearchClusterConfig:
          InstanceType: t2.small.elasticsearch
          InstanceCount: 1
          DedicatedMasterEnabled: false
          ZoneAwarenessEnabled: false
        ElasticsearchVersion: 5.3
        AccessPolicies:
          Version: '2012-10-17'
          Statement:
            - Effect: 'Allow'
              Principal:
                AWS: '*'
              Action: 'es:*'
              Resource: '*'
              Condition:
                IpAddress:
                  aws:SourceIp: ['182.177.251.40', '103.115.199.162']
        AdvancedOptions:
          rest.action.multi.allow_explicit_index: 'tru

e'

请帮帮忙

zdwk9cvp

zdwk9cvp1#

尝试将ActionPolicies操作设置为

Action: [
    "es:*"
],

您好像忘记了“[]”
在此处查看文档:https://docs.aws.amazon.com/opensearch-service/latest/developerguide/ac.html

7vhp5slm

7vhp5slm2#

我能够通过在ElasticSearch示例中使用principal来解决上述问题,如前面提到的here
仍然没有解决错误,所以最后在删除

Condition:
    IpAddress:
      aws:SourceIp:
        - '0.0.0.0' # Whitelisted IP

从IamRoleStatement中,我能够解决该问题

相关问题