英文:
AWS ElasticSearch ESHttpPost to account "A" with ES cluster setup from lambda in account "B"
问题
I have an AWS ElasticSearch Cluster in account "A".
我在帐户"A"中有一个AWS ElasticSearch集群。
I'm trying to create a lambda (triggered via API) in account "B" that will fetch data from ES in account "A".
我尝试在帐户"B"中创建一个通过API触发的Lambda函数,用于从帐户"A"的ElasticSearch中提取数据。
I'm getting the following error:
我遇到了以下错误:
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"
"消息":"用户:arn:aws:sts::AccountB:assumed-role/lambdaRole 未被授权执行es:ESHttpPost操作,因为没有基于资源的策略允许es:ESHttpPost操作"
My Access policy in ES Security Configuration:
我的ES安全配置中的访问策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List of IP Addresses
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
IP地址列表
]
}
}
}
]
}
I modified the access policy with the following but still facing the same issue:
我使用以下方式修改了访问策略,但仍然面临相同的问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List Of Ip Addresses
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
IP地址列表
]
}
}
}
]
}
英文:
I have an AWS ElasticSearch Cluster in account "A".
I'm trying to create a lambda (triggered via API) in account "B" that will fetch data from ES in account "A".
I'm getting the following error:
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"
My Access policy in ES Security Configuration:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List of IP Addresses
]
}
}
}
]
}
I modified the access policy with the following but still facing the same issue:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List Of Ip Addresses
]
}
}
}
]
}
答案1
得分: 1
尝试明确允许角色 arn:aws:sts::AccountB:assumed-role/lambdaRole
在 AccountA
上执行 Elasticsearch 域上的所有操作。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"IP地址列表"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::AccountB:assumed-role/lambdaRole"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
}
]
}
英文:
Try to explicitly allow the role arn:aws:sts::AccountB:assumed-role/lambdaRole
to perform all the actions on the Elasticsearch domain in AccountA
.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"List of IP Addresses"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::AccountB:assumed-role/lambdaRole"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
}
]
}
答案2
得分: 0
对于这个问题我翻译如下:
"Scratched my head a lot for this. Basically what is happening is that resource based policy only allows access to requests from same account. If it is a cross account access, we also need identity based policy from the originating account.
Take this for example
- ES cluster in account A
- Lambda function in account A
- Another lambda function in account B
- Domain access policy that allows access to lambdas on both accounts A & B
- Now, when we sign & make requests from lambda in account A, it will work even if the lambda doesn't have es:ESHttp* permissions
- But lambda B will not work this way. We also need to add es:ESHttp* permission to the role in lambda B.
This is because for same account access resource based policy is enough, but for cross-account access we also need a identity policy on the requesting service (lambda)
Here's the relevant documentation regarding this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html"
英文:
Scratched my head a lot for this. Basically what is happening is that resource based policy only allows access to requests from same account. If it is a cross account access, we also need identity based policy from the originating account.
Take this for example
- ES cluster in account A
- Lambda function in account A
- Another lambda function in account B
- Domain access policy that allows access to lambdas on both accounts A & B
- Now, when we sign & make requests from lambda in account A, it will work even if the lambda doesn't have
es:ESHttp*
permissions - But lambda B will not work this way. We also need to add
es:ESHttp*
permission to the role in lambda B.
This is because for same account access resource based policy is enough, but for cross-account access we also need a identity policy on the requesting service (lambda)
Here's the relevant documentation regarding this https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论