AWS Elasticsearch Service无权执行滚动

时间:2016-05-08 07:06:24

标签: amazon-web-services elasticsearch amazon-elasticsearch

我尝试使用elasticdump从AWS Elasticsearch Service复制索引:

elasticdump --input=https://xxx.xx-xxx-x.es.amazonaws.com/my_index --output=my_index.json

政策的相关部分:

...
  "Action": "es:*",
  "Resource": [
    "arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster/*",
    "arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster",
    "arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster/_search/scroll"
  ]
...

在100件物品之后,我得到:

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster/_search/scroll"}

为什么AWS阻止我滚动?

1 个答案:

答案 0 :(得分:0)

您可能需要为将访问ES以进行转储的计算机添加IP 我有类似的问题,并添加IP修复了我的问题 我的政策是这样的:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<AWSACCOUNT>:root"
    },
    "Action": "es:*",
    "Resource": "arn:aws:es:us-west-1:<AWSACCOUNT>:domain/<domain>/*"
  },
  {
    "Effect": "Allow",
    "Principal": {
      "AWS": "*"
    },
    "Action": "*",
    "Resource": [
           "arn:aws:es:<AWSACCOUNT>:domain/<domain>/*",
           "arn:aws:es:<AWSACCOUNT>:domain/<domain>/_search/scroll"
           ],
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": [
          <IP1>,
          <IP2>,
          <...>
        ]
      }
    }
  }
 ]
}

并且您可能需要在命令行中设置端口

相关问题
最新问题