Dan*_*kov 6 heroku amazon-web-services node.js elasticsearch amazon-iam
我的应用程序遇到了这个问题。我的应用程序部署到 Heroku 服务器,我使用的是部署在 AWS 上的 Elasticsearch。当我尝试在本地访问 Elasticsearch - 在 aws 域上 - 一切正常。但是,当我尝试访问我的 Heroku 域(都来自邮递员)时,我收到 503 错误消息:
2017-12-21T13:36:52.982331+00:00 app[web.1]: statusCode: 403,
2017-12-21T13:36:52.982332+00:00 app[web.1]: response: '{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost on resource: houngrymonkey"}',
我的访问政策是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "[heroku static ip]"
}
}
}
]
}
谁能告诉我我的问题是什么?谢谢!
我在 ES 和 lambda 上遇到了同样的问题,这不完全是你的情况,但也许会有帮助。我实际上做了什么来解决这个问题
1)在lambda( Node.js v6.10)中我添加了以下代码:
var creds = new AWS.EnvironmentCredentials('AWS');
....
// inside "post to ES"-method
var signer = new AWS.Signers.V4(req, 'es');
signer.addAuthorization(creds, new Date());
....
// post request to ES goes here
有了这些行,我的例外就从 变为
"User: anonymous..."
情况
"User: arn:aws:sts::xxxx:assumed-role/yyyy/zzzzz"
正是如此。
2)我通过以下方式更新了ES策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::xxxx:assumed-role/yyyy/zzzzz" (which was in exception)
},
"Action": "es:*",
"Resource": "arn:aws:es:[region]:[account-id]:domain/[es-domain]/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:[region]:[account-id]:domain/[es-domain]/*"
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"1.2.3.4/32",
....
]
}
}
}
]
}
希望这会有所帮助。
| 归档时间: |
|
| 查看次数: |
10796 次 |
| 最近记录: |