为elasticsearch实例put方法设置最小角色
Setting minimum role for elasticsearch instance put method
我有这个 cloudformation 模板,它按预期工作。它将向 elasticsearch 索引添加 1 条记录。
但我不确定角色定义是否正确。我需要设置这个功能的最低权限。
AWSTemplateFormatVersion: "2010-09-09"
Description: "Gateway and Lambda function for mailgun API"
Resources:
lambdaIAMRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Policies:
- PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Effect: "Allow"
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"
PolicyName: "lambda"
lambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Code:
ZipFile: |
def handler(event,context):
from elasticsearch import Elasticsearch
es = Elasticsearch(
['search-test-XXXX.us-east-1.es.amazonaws.com'],
http_auth=('root', 'XXXX)'),
scheme="https",
port=443,
)
doc = {
'author': 'kimchy',
'text': 'Elasticsearch: cool. bonsai cool.'
}
res = es.index(index="test-index", id=1, body=doc)
Description: "EmailThis"
FunctionName: elast
Handler: "index.handler"
MemorySize: 128
Role: !GetAtt "lambdaIAMRole.Arn"
Runtime: "python3.6"
Timeout: 100
Layers:
- "arn:aws:lambda:us-east-1:770693421928:layer:Klayers-python38-elasticsearch:12"
是的,角色中的权限与标准 AWSLambdaBasicExecutionRole.
中的权限相匹配
但是,您的角色将不起作用,因为它有不正确的资源。而不是:
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"
应该有:
Resource:
- !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/elast:*"
因为 elast 是函数的名称,而不是 furl。
我有这个 cloudformation 模板,它按预期工作。它将向 elasticsearch 索引添加 1 条记录。 但我不确定角色定义是否正确。我需要设置这个功能的最低权限。
AWSTemplateFormatVersion: "2010-09-09"
Description: "Gateway and Lambda function for mailgun API"
Resources:
lambdaIAMRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Policies:
- PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Effect: "Allow"
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"
PolicyName: "lambda"
lambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Code:
ZipFile: |
def handler(event,context):
from elasticsearch import Elasticsearch
es = Elasticsearch(
['search-test-XXXX.us-east-1.es.amazonaws.com'],
http_auth=('root', 'XXXX)'),
scheme="https",
port=443,
)
doc = {
'author': 'kimchy',
'text': 'Elasticsearch: cool. bonsai cool.'
}
res = es.index(index="test-index", id=1, body=doc)
Description: "EmailThis"
FunctionName: elast
Handler: "index.handler"
MemorySize: 128
Role: !GetAtt "lambdaIAMRole.Arn"
Runtime: "python3.6"
Timeout: 100
Layers:
- "arn:aws:lambda:us-east-1:770693421928:layer:Klayers-python38-elasticsearch:12"
是的,角色中的权限与标准 AWSLambdaBasicExecutionRole.
中的权限相匹配但是,您的角色将不起作用,因为它有不正确的资源。而不是:
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"
应该有:
Resource:
- !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/elast:*"
因为 elast 是函数的名称,而不是 furl。