Jub*_*ail 5 amazon-web-services elasticsearch aws-lambda amazon-elasticsearch aws-access-policy
设置AWS Elasticsearch之后,我在静态IP服务器上安装了Logstash和Kibana代理,并在ES上添加了这个域访问策略,它运行正常:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
}
]
}
现在我需要允许Lambda函数es:ESHttpDelete在AWS ES上执行操作,因此我使用现有角色创建了该函数,service-role/Elasticsearch然后ARN从IAM Managment控制台复制了相关内容以将其添加到AWS ES访问策略,以得出:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}
问题出在ES我应该为静态IP或ARN选择域访问策略,但不能同时选择两者.当我尝试手动合并它们而不是使用控制台时,它不起作用.我检查了AWS文档,但他们没有提到是否可能.
Statement您可以在策略的 JSON 格式的数组中添加多个策略语句。所以,你的最终政策将是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}
| 归档时间: |
|
| 查看次数: |
812 次 |
| 最近记录: |