AWS ElasticSearch中的ESHttpPost到帐户”A”,使用来自帐户”B”的Lambda设置的ES集群。

huangapple go评论72阅读模式
英文:

AWS ElasticSearch ESHttpPost to account "A" with ES cluster setup from lambda in account "B"

问题

I have an AWS ElasticSearch Cluster in account "A".

我在帐户"A"中有一个AWS ElasticSearch集群。

I'm trying to create a lambda (triggered via API) in account "B" that will fetch data from ES in account "A".

我尝试在帐户"B"中创建一个通过API触发的Lambda函数,用于从帐户"A"的ElasticSearch中提取数据。

I'm getting the following error:

我遇到了以下错误:

"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"

"消息":"用户:arn:aws:sts::AccountB:assumed-role/lambdaRole 未被授权执行es:ESHttpPost操作,因为没有基于资源的策略允许es:ESHttpPost操作"

My Access policy in ES Security Configuration:

我的ES安全配置中的访问策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            List of IP Addresses
          ]
        }
      }
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            IP地址列表
          ]
        }
      }
    }
  ]
}

I modified the access policy with the following but still facing the same issue:

我使用以下方式修改了访问策略,但仍然面临相同的问题:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            List Of Ip Addresses
          ]
        }
      }
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            IP地址列表
          ]
        }
      }
    }
  ]
}
英文:

I have an AWS ElasticSearch Cluster in account "A".

I'm trying to create a lambda (triggered via API) in account "B" that will fetch data from ES in account "A".

I'm getting the following error:

"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"

My Access policy in ES Security Configuration:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            List of IP Addresses
          ]
        }
      }
    }
  ]
}

I modified the access policy with the following but still facing the same issue:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:root"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            List Of Ip Addresses
          ]
        }
      }
    }
  ]
}

答案1

得分: 1

尝试明确允许角色 arn:aws:sts::AccountB:assumed-role/lambdaRoleAccountA 上执行 Elasticsearch 域上的所有操作。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "IP地址列表"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::AccountB:assumed-role/lambdaRole"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
    }
  ]
}
英文:

Try to explicitly allow the role arn:aws:sts::AccountB:assumed-role/lambdaRole to perform all the actions on the Elasticsearch domain in AccountA.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "List of IP Addresses"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::AccountB:assumed-role/lambdaRole"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
    }
  ]
}

答案2

得分: 0

对于这个问题我翻译如下:

"Scratched my head a lot for this. Basically what is happening is that resource based policy only allows access to requests from same account. If it is a cross account access, we also need identity based policy from the originating account.
Take this for example

  • ES cluster in account A
  • Lambda function in account A
  • Another lambda function in account B
  • Domain access policy that allows access to lambdas on both accounts A & B
  • Now, when we sign & make requests from lambda in account A, it will work even if the lambda doesn't have es:ESHttp* permissions
  • But lambda B will not work this way. We also need to add es:ESHttp* permission to the role in lambda B.

This is because for same account access resource based policy is enough, but for cross-account access we also need a identity policy on the requesting service (lambda)

Here's the relevant documentation regarding this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html"

英文:

Scratched my head a lot for this. Basically what is happening is that resource based policy only allows access to requests from same account. If it is a cross account access, we also need identity based policy from the originating account.
Take this for example

  • ES cluster in account A
  • Lambda function in account A
  • Another lambda function in account B
  • Domain access policy that allows access to lambdas on both accounts A & B
  • Now, when we sign & make requests from lambda in account A, it will work even if the lambda doesn't have es:ESHttp* permissions
  • But lambda B will not work this way. We also need to add es:ESHttp* permission to the role in lambda B.

This is because for same account access resource based policy is enough, but for cross-account access we also need a identity policy on the requesting service (lambda)

Here's the relevant documentation regarding this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html

huangapple
  • 本文由 发表于 2023年3月7日 12:15:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/75658003.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定