将快照从 S3 恢复到 AWS 托管弹性搜索时出现安全令牌服务异常
Security token service exception while restoring snapshot from S3 to AWS managed elasticsearch
我有一个 AWS 托管的 Elasticsearch 服务(比如 smallES),它有一个正常工作的 S3 存储桶,它包含过去 1 年的逐日滚动索引。出于某些商业原因,我创建了另一个 AWS 托管的 ES 集群(比如 bigES)。我想将过去 1 年的数据从 bucket 恢复到 bigES。保证 smallES bigES 和 bucket 都在同一个区域,同一个VPC。
所以,我制定了一个政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
并为政策附加角色。该角色的信任关系是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
现在,当我在同一个 VPC 中通过 http 请求创建快照时,它可以为 bigES 创建一个快照存储库,我也可以查询它
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_snapshot'
输出
{
"snapshot-repo": {
"type": "s3",
"settings": {
"bucket": "bucket",
"region": "region",
"role_arn": "role_arn"
}
}
}
但是当我尝试查看此快照存储库中的快照时出现错误(如下所述)
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
我收到以下错误:
{
"error": {
"root_cause": [
{
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
}
],
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
},
"status": 500
}
我已将 s3 的所有访问权限授予我的角色,但没有成功。我已经发布了 VPC 内一台 ec2 机器的所有 http 请求。
还要提一下,如果我像下面这样查询,我会看到预期的结果
curl -XGET 'http://smallESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
IDK 为什么我尝试制作一个具有如下信任关系的角色。仍然没有运气。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
提前感谢任何类型的 help/suggestions。
我使用以下策略解决了这个问题
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
],
"Version": "2012-10-17"
}
然后我将策略附加到角色。我认为 "iam:PassRole" 已经完成了工作。
我遇到了同样的问题,这是因为我没有让 Elasticsearch 服务承担这个角色。我必须更新我的信任关系政策文件以包含 es.amazonaws.com.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"es.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
我有一个 AWS 托管的 Elasticsearch 服务(比如 smallES),它有一个正常工作的 S3 存储桶,它包含过去 1 年的逐日滚动索引。出于某些商业原因,我创建了另一个 AWS 托管的 ES 集群(比如 bigES)。我想将过去 1 年的数据从 bucket 恢复到 bigES。保证 smallES bigES 和 bucket 都在同一个区域,同一个VPC。
所以,我制定了一个政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
并为政策附加角色。该角色的信任关系是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
现在,当我在同一个 VPC 中通过 http 请求创建快照时,它可以为 bigES 创建一个快照存储库,我也可以查询它
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_snapshot'
输出
{
"snapshot-repo": {
"type": "s3",
"settings": {
"bucket": "bucket",
"region": "region",
"role_arn": "role_arn"
}
}
}
但是当我尝试查看此快照存储库中的快照时出现错误(如下所述)
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
我收到以下错误:
{
"error": {
"root_cause": [
{
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
}
],
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
},
"status": 500
}
我已将 s3 的所有访问权限授予我的角色,但没有成功。我已经发布了 VPC 内一台 ec2 机器的所有 http 请求。
还要提一下,如果我像下面这样查询,我会看到预期的结果
curl -XGET 'http://smallESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
IDK 为什么我尝试制作一个具有如下信任关系的角色。仍然没有运气。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
提前感谢任何类型的 help/suggestions。
我使用以下策略解决了这个问题
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
],
"Version": "2012-10-17"
}
然后我将策略附加到角色。我认为 "iam:PassRole" 已经完成了工作。
我遇到了同样的问题,这是因为我没有让 Elasticsearch 服务承担这个角色。我必须更新我的信任关系政策文件以包含 es.amazonaws.com.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"es.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}