Question

我正在尝试在EC2上创建一个Elasticsearch集群并获取我提供无效凭据的错误，但这些是我通过jclouds创建实例时使用的完全相同的凭据。

我从Elasticsearch看到的示例错误日志：

[2014-03-03 21:32:26,109][INFO ][node                     ] [Baron Blood] version[1.0.1], pid[6832], build[5c03844/2014-02-25T15:52:53Z]
[2014-03-03 21:32:26,110][INFO ][node                     ] [Baron Blood] initializing ...
[2014-03-03 21:32:26,127][INFO ][plugins                  ] [Baron Blood] loaded [cloud-aws], sites []
[2014-03-03 21:32:30,736][INFO ][node                     ] [Baron Blood] initialized
[2014-03-03 21:32:30,736][INFO ][node                     ] [Baron Blood] starting ...
[2014-03-03 21:32:30,932][INFO ][transport                ] [Baron Blood] bound_address {inet[/0:0:0:0:0:0:0:0:9300]}, publish_address {inet[/10.154.175.62:9300]}
[2014-03-03 21:32:31,228][WARN ][org.apache.http.impl.client.DefaultHttpClient] Authentication error: Unable to respond to any of these challenges: {}
[2014-03-03 21:32:31,388][INFO ][discovery.ec2            ] [Baron Blood] Exception while retrieving instance list from AWS API: AWS was not able to validate the provided access credentials
[2014-03-03 21:32:46,415][WARN ][org.apache.http.impl.client.DefaultHttpClient] Authentication error: Unable to respond to any of these challenges: {}
[2014-03-03 21:32:46,425][INFO ][discovery.ec2            ] [Baron Blood] Exception while retrieving instance list from AWS API: AWS was not able to validate the provided access credentials
[2014-03-03 21:33:00,939][WARN ][discovery                ] [Baron Blood] waited for 30s and no initial state was set by the discovery
[2014-03-03 21:33:00,939][INFO ][discovery                ] [Baron Blood] adstage-es-log/KolEM00zT9mYvYn3mDkrow
[2014-03-03 21:33:00,946][INFO ][http                     ] [Baron Blood] bound_address {inet[/0:0:0:0:0:0:0:0:9200]}, publish_address {inet[/10.154.175.62:9200]}
[2014-03-03 21:33:00,998][INFO ][node                     ] [Baron Blood] started
[2014-03-03 21:33:01,454][WARN ][org.apache.http.impl.client.DefaultHttpClient] Authentication error: Unable to respond to any of these challenges: {}
[2014-03-03 21:33:01,463][INFO ][discovery.ec2            ] [Baron Blood] Exception while retrieving instance list from AWS API: AWS was not able to validate the provided access credentials
[2014-03-03 21:33:01,466][INFO ][cluster.service          ] [Baron Blood] new_master [Baron Blood][KolEM00zT9mYvYn3mDkrow][ip-10-154-175-62][inet[/10.154.175.62:9300]], reason: zen-disco-join (elected_as_master)
[2014-03-03 21:33:01,516][INFO ][gateway                  ] [Baron Blood] recovered [0] indices into cluster_state

基于文档，我的elasticsearch.yml文件似乎是正确的：

cluster.name: adstage-es-log
cloud.aws.access_key: MY_ACCESS_KEY
cloud.aws.secret_key: MY_SECRET_TOKEN
cloud.aws.region: us-east
discovery.type: ec2
discovery.ec2.ping_timeout: 30s

另外，因为有人会问，安全组在这些盒子上是敞开的。使用Elasticsearch 1.0.1和ec2插件2.0.0.RC1。

到目前为止，我还没有发现任何可能导致此问题的原因。关于如何解决这个问题的任何想法？

Answer 1

事实证明，由于我们使用的是IAM，因此我的AWS账户设置了不正确的权限。能够通过确保我的帐户具有以下权限来解决此问题：

EC2：DescribeAvailabilityZones
EC2：DescribeInstances
EC2：DescribeRegions
EC2：DescribeSecurityGroups
EC2：DescribeTags

Answer 2

这是一个可以复制和粘贴的政策：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1404060922000",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInstances",
        "ec2:DescribeRegions",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeTags"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Answer 3

为了给Gordon的有用答案添加一个具体的例子，这是一个有效的IAM权限策略：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    }
  ]
}

Elasticsearch EC2发现因“凭据无效”而失败

3 个答案: