将快照从 S3 恢复到 AWS 托管弹性搜索时出现安全令牌服务异常

Security token service exception while restoring snapshot from S3 to AWS managed elasticsearch

我有一个 AWS 托管的 Elasticsearch 服务(比如 smallES),它有一个正常工作的 S3 存储桶,它包含过去 1 年的逐日滚动索引。出于某些商业原因,我创建了另一个 AWS 托管的 ES 集群(比如 bigES)。我想将过去 1 年的数据从 bucket 恢复到 bigES。保证 smallES bigESbucket 都在同一个区域,同一个VPC。

所以,我制定了一个政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Resource": [
                "arn:aws:s3:::bucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::bucket/*"
            ]
        }
    ]
}

并为政策附加角色。该角色的信任关系是

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
       }
    ]
}

现在,当我在同一个 VPC 中通过 http 请求创建快照时,它可以为 bigES 创建一个快照存储库,我也可以查询它

curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_snapshot'

输出

{
    "snapshot-repo": {
        "type": "s3",
        "settings": {
            "bucket": "bucket",
            "region": "region",
            "role_arn": "role_arn"
        }
    }
}

但是当我尝试查看此快照存储库中的快照时出现错误(如下所述)

curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'

我收到以下错误:

{
    "error": {
        "root_cause": [
            {
                "type": "a_w_s_security_token_service_exception",
                "reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
            }
        ],
        "type": "a_w_s_security_token_service_exception",
        "reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
    },
    "status": 500
}

我已将 s3 的所有访问权限授予我的角色,但没有成功。我已经发布了 VPC 内一台 ec2 机器的所有 http 请求。

还要提一下,如果我像下面这样查询,我会看到预期的结果

curl -XGET 'http://smallESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'

IDK 为什么我尝试制作一个具有如下信任关系的角色。仍然没有运气。

{
    "Version": "2012-10-17",
    "Statement": [
      {
          "Effect": "Allow",
          "Principal": {
              "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
      }
    ]
}

提前感谢任何类型的 help/suggestions。

我使用以下策略解决了这个问题

{
"Statement": [
    {
        "Action": [
            "s3:ListBucket",
            "s3:GetBucketLocation",
            "s3:ListBucketMultipartUploads",
            "s3:ListBucketVersions"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucket-name"
        ]
    },
    {
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:AbortMultipartUpload",
            "s3:ListMultipartUploadParts",
            "iam:PassRole"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucket-name/*"
        ]
    }
],
"Version": "2012-10-17"
}

然后我将策略附加到角色。我认为 "iam:PassRole" 已经完成了工作。

我遇到了同样的问题,这是因为我没有让 Elasticsearch 服务承担这个角色。我必须更新我的信任关系政策文件以包含 es.amazonaws.com.

{
  "Version": "2012-10-17",
   "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "es.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}