如何授予 Lambda 访问 AWS 中的 ElasticSearch 的权限?
How to grant Lambda access to ElasticSearch in AWS?
我正在使用我的本地 AWS 凭证成功访问 AWS ElasticSearch 服务。但是,当从 lambda 尝试时,我得到以下信息:
User:
arn:aws:sts::XXXXXXXXXX:assumed-role/dudeman-workouts-dev-graphqlLambdaServiceRoleXXXXXX-XXXXXXXXX/dudeman-workouts-dev-graphqlLambdaXXXXXXXX-XXXXXXXXXX
is not authorized to perform: es:ESHttpPost
这让我感到困惑,因为 lambda 承担的角色具有以下内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:XXXXXXXXXXXX:domain/general-elasticsearch",
"Effect": "Allow"
}
]
}
集群本身的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXX:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:XXXXXXXXXXX:domain/general-elasticsearch/*"
}
]
}
策略模拟器说一切正常:
在 IAM 策略中的资源末尾添加 /*。
IIRC,Elasticsearch 策略的行为类似于 S3 策略:如果省略尾随 /*,则只能调用影响整个集群的请求。但是,各种 HTTP 请求会影响 https://cluster/index.
等内容
我正在使用我的本地 AWS 凭证成功访问 AWS ElasticSearch 服务。但是,当从 lambda 尝试时,我得到以下信息:
User: arn:aws:sts::XXXXXXXXXX:assumed-role/dudeman-workouts-dev-graphqlLambdaServiceRoleXXXXXX-XXXXXXXXX/dudeman-workouts-dev-graphqlLambdaXXXXXXXX-XXXXXXXXXX is not authorized to perform: es:ESHttpPost
这让我感到困惑,因为 lambda 承担的角色具有以下内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:XXXXXXXXXXXX:domain/general-elasticsearch",
"Effect": "Allow"
}
]
}
集群本身的政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXX:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:XXXXXXXXXXX:domain/general-elasticsearch/*"
}
]
}
策略模拟器说一切正常:
在 IAM 策略中的资源末尾添加 /*。
IIRC,Elasticsearch 策略的行为类似于 S3 策略:如果省略尾随 /*,则只能调用影响整个集群的请求。但是,各种 HTTP 请求会影响 https://cluster/index.