为什么在AWS上将json发布到elasticsearch端点时会出现403禁止错误?

时间:2017-01-30 09:00:44

标签: aws-lambda amazon-elasticsearch

我使用java lambda函数将json发布到AWS elasticsearch。

public Object handleRequest(DynamodbEvent dynamodbEvent, Context context) {

            //code to general the json document     
            AmazonDynamoDBClient amazonDynamoDBClient = new AmazonDynamoDBClient();

    List<DynamodbEvent.DynamodbStreamRecord> dynamodbStreamRecordlist = dynamodbEvent.getRecords();

    if (!dynamodbStreamRecordlist.isEmpty()) {
        DynamodbEvent.DynamodbStreamRecord record = dynamodbStreamRecordlist.get(0);
        if(record.getEventSource().equalsIgnoreCase("aws:dynamodb"))
            tableName = getTableNameFromARN(record.getEventSourceARN());
    }
    LaneAnnotation laneAnnotation = new LaneAnnotation();

    ScanRequest scanRequest = new ScanRequest().withTableName(tableName);
    ScanResult result = amazonDynamoDBClient.scan(scanRequest);

    List<Lines> linesFinalList = new ArrayList<Lines>();

    if(result != null) {
        for (Map<String, AttributeValue> item : result.getItems()) {      

         //code for looping through the table items and generating a json     object for the elastic search model
        }    

            //Code to post the json below - 
            RestTemplate restTemplate = new RestTemplate();
            SimpleClientHttpRequestFactory clientHttpRequestFactory = (SimpleClientHttpRequestFactory)restTemplate.getRequestFactory();
            clientHttpRequestFactory.setConnectTimeout(10000);
            clientHttpRequestFactory.setReadTimeout(10000);

            HttpEntity<String> entity = new HttpEntity<String>(<json goes here>, headers);

            try{
                restTemplate.exchange(endpoint, HttpMethod.POST, entity, String.class);
            }catch(Exception e){
                e.printStackTrace();
            }
}

但是,当我测试AWS lambda函数时,我看到以下错误 -

org.springframework.web.client.HttpClientErrorException: 403 Forbidden
    at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:91)
    at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:700)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:653)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
    at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)
    at com.here.aws.LambdaApplication.handleRequest(LambdaApplication.java:166)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at lambdainternal.EventHandlerLoader$PojoMethodRequestHandler.handleRequest(EventHandlerLoader.java:456)
    at lambdainternal.EventHandlerLoader$PojoHandlerAsStreamHandler.handleRequest(EventHandlerLoader.java:375)
    at lambdainternal.EventHandlerLoader$2.call(EventHandlerLoader.java:1139)
    at lambdainternal.AWSLambda.startRuntime(AWSLambda.java:285)
    at lambdainternal.AWSLambda.<clinit>(AWSLambda.java:57)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:348)
    at lambdainternal.LambdaRTEntry.main(LambdaRTEntry.java:94)

我甚至修改了访问策略并添加了我的IP地址。 别人也面对这个吗?你是怎么解决的?&gt; 任何帮助将不胜感激。

EDIT1:我正在尝试合并此处提到的请求签名 - https://aws.amazon.com/blogs/security/how-to-control-access-to-your-amazon-elasticsearch-service-domain/
如果进展顺利的话会报告。

EDIT2:

这是发送请求的第二种方式,我尝试引用上面的链接 -

@Override
    public Object handleRequest(DynamodbEvent dynamodbEvent, Context context) {

        AmazonDynamoDBClient amazonDynamoDBClient = new AmazonDynamoDBClient();

        List<DynamodbEvent.DynamodbStreamRecord> dynamodbStreamRecordlist = dynamodbEvent.getRecords();

        if (!dynamodbStreamRecordlist.isEmpty()) {
            DynamodbEvent.DynamodbStreamRecord record = dynamodbStreamRecordlist.get(0);
            if(record.getEventSource().equalsIgnoreCase("aws:dynamodb"))
                tableName = getTableNameFromARN(record.getEventSourceARN());
        }
        LaneAnnotation laneAnnotation = new LaneAnnotation();

        ScanRequest scanRequest = new ScanRequest().withTableName(tableName);
        ScanResult result = amazonDynamoDBClient.scan(scanRequest);

        List<Lines> linesFinalList = new ArrayList<Lines>();

        if(result != null) {
            for (Map<String, AttributeValue> item : result.getItems()) {
           //Generate the json object that needs to be sent in the request

        }

        HttpHeaders headers = new HttpHeaders();
        headers.setContentType(MediaType.APPLICATION_JSON_UTF8);

        Request<?> request = new DefaultRequest<Void>(SERVICE_NAME);
        request.setContent(new ByteArrayInputStream(elasticSearchModel.toString().getBytes()));
        request.setEndpoint(URI.create(endpoint));
        request.setHttpMethod(HttpMethodName.POST);

        AWS4Signer signer = new AWS4Signer();
        signer.setServiceName(SERVICE_NAME);
        signer.setRegionName(Regions.US_EAST_1.getName());

        AWSCredentialsProvider credsProvider =
                new DefaultAWSCredentialsProviderChain();

        AWSCredentials creds = credsProvider.getCredentials();

        // Sign request with supplied creds
        signer.sign(request, creds);
        log.info("Request signed");

        ExecutionContext executionContext = new ExecutionContext(true);

        ClientConfiguration clientConfiguration = new ClientConfiguration();
        AmazonHttpClient client = new AmazonHttpClient(clientConfiguration);

        MyHttpResponseHandler<Void> responseHandler = new MyHttpResponseHandler<Void>();
        MyErrorHandler errorHandler = new MyErrorHandler();

        Response<Void> response =
                client.execute(request, responseHandler, errorHandler, executionContext);

        return dynamodbEvent;
    }

但是,我收到以下错误 -

    Check the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

    The Canonical String for this request should have been
    'GET
    /

    host:somehostname-XXXXXXXXXXXXXXXX.us-east-1.es.amazonaws.com
    x-amz-date:20170130T105736Z
    x-amz-security-token:FQoDYXdzEG4aDJJ4ryjXXXXXXXXXXXXXXXX/auMHooYENY6YXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

    host;x-amz-date;x-amz-security-token
    e3b0c4429XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

    The String-to-Sign should have been
    'AWS4-HMAC-SHA256
    20170130T105736Z
    20170130/us-east-1/es/aws4_request
    9a5b4c92ec121c333f8cdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
    "}"

10:57:36.818 [main] DEBUG org.apache.http.headers - http-outgoing-1 << HTTP/1.1 403 Forbidden

1 个答案:

答案 0 :(得分:0)

AWS Elastic Search有一个提供身份验证的安全网关。身份验证选项在AWS Elastic Search控制台中配置。

您收到403身份验证错误,因为您的AWS Elastic Search访问策略不允许Lambda使用的NAT网关的IP。

http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies

这是一个可用于基于IP的身份验证的访问策略模板。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "es:*",
            "Resource": "arn:aws:es:us-east-1:YOUR-AWS-ACCOUNT-ID:domain/YOUR-ELASTICSEARCH-DOMAIN-NAME/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "YOUR-NAT-GATEWAY-PUBLIC-IP/32"
                    ]
                }
            }
        }
    ]
}