在设置AWS Elasticsearch之后,我在静态IP服务器上安装了Logstash和Kibana代理,并在ES上添加了此域访问策略,并且它正常工作:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
}
]
}
现在我需要允许Lambda函数在AWS ES上执行es:ESHttpDelete
操作,因此我创建了具有现有角色service-role/Elasticsearch
的函数,然后将相关ARN
从IAM管理控制台复制到将其添加到AWS ES访问策略中,以提出:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}
问题在于ES我应该为静态IP或ARN选择域访问策略,但不能同时选择两者。当我尝试手动合并它们而不是使用控制台时,它没有工作。我检查了AWS文档,但他们没有提到是否可能。
答案 0 :(得分:2)
您可以使用JSON格式的策略在Statement
数组中添加多个策略语句。所以,你的最终政策将是:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.192.192.192"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
}
]
}