AWS Kinesis Firehose 未向 Elasticsearch 发送数据....IAM 权限?

AWS Kinesis Firehose is not sending data to Elasticsearch....IAM permissions?

因此,除了将数据从 Firehose 发送到 Elasticsearch 的最后一步外,我已准备就绪并且一切正常。

这是我在 Kinesis Firehose Elasticsearch 服务日志中得到的错误:

Error received from Elasticsearch cluster. {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"},"status":403}

这是我附加的 IAM 策略(由 Firehose 自己制定)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::test-kinesis-backup-mydna",
                "arn:aws:s3:::test-kinesis-backup-mydna/*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:us-west-2:917877325894:function:%FIREHOSE_DEFAULT_FUNCTION%:%FIREHOSE_DEFAULT_VERSION%"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "es:DescribeElasticsearchDomain",
                "es:DescribeElasticsearchDomains",
                "es:DescribeElasticsearchDomainConfig",
                "es:ESHttpPost",
                "es:ESHttpPut"
            ],
            "Resource": [
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "es:ESHttpGet"
            ],
            "Resource": [
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_all/_settings",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_cluster/stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_mapping/",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/*/stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_stats"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-west-2:917877325894:log-group:/aws/kinesisfirehose/test_dynamodb:log-stream:*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kinesis:DescribeStream",
                "kinesis:GetShardIterator",
                "kinesis:GetRecords",
                "kinesis:ListShards"
            ],
            "Resource": "arn:aws:kinesis:us-west-2:917877325894:stream/%FIREHOSE_STREAM_NAME%"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:us-west-2:917877325894:key/%SSE_KEY_ID%"
            ],
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "kinesis.%REGION_NAME%.amazonaws.com"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:kinesis:arn": "arn:aws:kinesis:%REGION_NAME%:917877325894:stream/%FIREHOSE_STREAM_NAME%"
                }
            }
        }
    ]
}

我尝试添加所有不同的策略,但无法使其正常工作,而且我不断收到完全相同的错误消息。

有什么建议吗?

我刚刚 运行 遇到了同样的问题。我的问题是我不小心将 firehose ARN 分配给了 ES 角色映射,而不是 IAM ARN。

Elastic Search > 安全 > firehose_delivery_role > 映射用户 > 后端角色 > {{ 这需要是 IAM firehose ARN,而不是 firehose ARN 本身}}

Incorrect: arn:aws:firehose:us-east-1:000000012345:deliverystream/workshop-firehose

Correct: arn:aws:iam::000000012345:role/service-role/KinesisFirehoseServiceRole-workshop-fire-us-east-1-1609335111111

在发现错误之前,我还尝试将 [indices:data/write/bulk] 和 [indices:data/write/bulk*] 添加到 ES 角色的集群和索引权限...但是没有帮助。

希望这对遇到类似问题的其他人有所帮助。

我也遇到了同样的问题。我使用 Cognito 身份验证设置了 AWS 弹性搜索。将 firehose iam role arn 添加到 ES 访问策略解决了问题

{
"Version": "2012-10-17",
"Statement": [
{
  "Sid": "ESAccess",
  "Effect": "Allow",
  "Principal": {
    "AWS": [
      "arn:aws:iam::<accountID>:role/firehose-assume-role",
      "arn:aws:iam::<accountID>:role/cognito-auth-role"
    ]
  },
  "Action": "es:*",
  "Resource": [
    "arn:aws:es:<region>:<accountID>:domain/es-domain/*",
    "arn:aws:es:<region>:<accountID>:domain/es-domain"
  ]
  }
 ]
}