如何将AWS OpenSearch Serverless连接到Lambda以注入数据?

huangapple go评论106阅读模式
英文:

How to connect AWS OpenSearch Serverless to Lambda to inject data?

问题

我正在尝试进行PUT请求,将数据上传到我创建的集合中。然而,我收到了一个'403'错误,显示'用户没有请求的资源的权限'。

我相信我已经授予了用户完全的IAM访问权限,但仍然收到相同的错误。

这是我的IAM和serverless文件中的函数部分:

iam:
  role:
    statements:
      - Effect: Allow
        Action:
          - aoss:*
        Resource:
          - '*'

functions:
  lambdaFunction:
    handler: src/controllers/lambdaFunction.handler
    description: 创建一个lambda
    events:
      - http:
          path: /lambda
          method: post
          cors: ${self:custom.cors-settings}
          private: false
          authorizer:
            type: CUSTOM
            authorizerId: ${self:provider.environment.authorizer_ref}
            resultTtlInSeconds: 0
    memorySize: 256
    logRetentionInDays: 30
    iamRoleStatementsInherit: true
    iamRoleStatements:
      - Effect: Allow
        Action:
          - aoss:*
        Resource:
          - '*'
英文:

I'm trying to do a PUT request to upload data to a collection I have created. However, I'm getting a '403' error; 'User does not have permissions for the requested resource'.

I believe I have granted full IAM access to the user but I'm still getting the same error.

Here is the IAM and function within my serverless file:

   iam:
    role:
        statements:
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

functions:
    lambdaFunction:
        handler: src/controllers/lambdaFunction.handler
        description: create a lambda 
        events:
            - http:
                  path: /lambda
                  method: post
                  cors: ${self:custom.cors-settings}
                  private: false
                  authorizer:
                      type: CUSTOM
                      authorizerId: ${self:provider.environment.authorizer_ref}
                      resultTtlInSeconds: 0
        memorySize: 256
        logRetentionInDays: 30
        iamRoleStatementsInherit: true
        iamRoleStatements:
            - Effect: Allow
              Action:
                  - aoss:*
              Resource:
                  - '*'

答案1

得分: 1

抱歉,代码部分不要翻译。以下是文本的翻译部分:

文档不太好,但首先,您需要在 Opensearch 无服务器集合中创建一个数据访问策略,其中包括以下规则:

  • 主体为:您的 Lambda 角色
  • 授权/权限为:基于 Lambda 应该对集合执行的操作

如果您不知道您的 Lambda 角色,您可以转到 Lambda 详细页面,然后导航到 'Configuration > Permissions',它就在页面的顶部。

之后,您应该授予 Lambda 角色执行 aoss:APIAccessAll 操作的访问策略。现在,我没有找到任何预制的访问策略,所以我创建了一个名为 OpensearchServerlessAPICaller 的新策略,其 JSON 策略如下:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aoss:BatchGetCollection",
                "aoss:APIAccessAll"
            ],
            "Resource": "*"
        }
    ]
}

一切就绪后,您的 Lambda 可以直接对 Opensearch 无服务器集合进行调用。请记得正确对使用的库的客户端进行身份验证。如果您正在使用 Node.js,我建议使用 @opensearch-project/opensearch,这意味着您应该使用以下方式创建客户端:

import { AwsSigv4Signer } from '@opensearch-project/opensearch/aws';
import { Client } from '@opensearch-project/opensearch';
import { defaultProvider } from '@aws-sdk/credential-provider-node';

const client = new Client({
  node: "Your opensearch host",
  ...AwsSigv4Signer({
    region: 'eu-central-1',
    service: 'aoss',

    getCredentials: () => {
      const credentialsProvider = defaultProvider();
      return credentialsProvider();
    },
  }),
});

附注:请注意,如果您选择在 VPC 中保护 Opensearch 集合,那么您应该将 Lambda 放在相同的 VPC 中,否则它将无法访问集合。

英文:

The documentation unluckily is not one of the best, but first off you need to create a data access policy inside your Opensearch Serverless collection where you add a rule with:

  • as Principal: your lambda role
  • as grants/permissions: based on what the lambda should do with the collection

如何将AWS OpenSearch Serverless连接到Lambda以注入数据?

如何将AWS OpenSearch Serverless连接到Lambda以注入数据?

If you don't know your lambda role, you can just go to your lambda detail page and then navigate to 'Configuration > Permissions' and its sitting right on top of that page

如何将AWS OpenSearch Serverless连接到Lambda以注入数据?

After that you should give to the lambda role the access policy to perform the aoss:APIAccessAll action. Now I didn't find any 'pre-made' access policy so I created a new one with name OpensearchServerlessAPICaller with the following json policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "aoss:BatchGetCollection",
                "aoss:APIAccessAll"
            ],
            "Resource": "*"
        }
    ]
}

With everything in place now your lambda can perform calls directly to your Opensearch Serverless collection. Remember to correctly authenticate the library's client you are using. I suggest using @opensearch-project/opensearch if you are using node, which would mean that you should create the client with:

import { AwsSigv4Signer } from '@opensearch-project/opensearch/aws';
import { Client } from '@opensearch-project/opensearch';
import { defaultProvider } from '@aws-sdk/credential-provider-node'

const client = new Client({
  node: "Your opensearch host",
  ...AwsSigv4Signer({
    region: 'eu-central-1',
    service: 'aoss',

    getCredentials: () => {
      const credentialsProvider = defaultProvider();
      return credentialsProvider();
    },
  }),
});

Sidenote: Keep in mind that if you opted to protect your opensearch collection within a VPC then you should place the lambda within the same VPC otherwise it's not going to reach the collection.

huangapple
  • 本文由 发表于 2023年7月3日 15:55:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/76602817.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定