AWS ElasticSearch从帐户“B”中的lambda写入帐户“A”

时间:2017-10-09 21:14:34

标签: amazon-web-services elasticsearch lambda

我在帐户“A”中有一个AWS ElasticSearch集群。

我正在尝试在帐户“B”中创建一个lambda(从DynamoDB流触发),该帐户将在帐户“A”中写入ES。

我收到以下错误:

{
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES is not authorized to perform: es:ESHttpPost on resource: beta-na-lifeguard"
}

我已经尝试将STS以及ROLE放入ES访问策略(在帐户“A”中),但没有运气。这是我的政策:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountA:user/beta-elasticsearch-admin"
      },
      "Action": "es:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::AccountA:user/beta-elasticsearch-readwrite",
          "arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
          "arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES",
          "arn:aws:iam::AccountB:role/service-role/lambdaRole1"
        ]
      },
      "Action": [
        "es:ESHttpGet",
        "es:ESHttpPost",
        "es:ESHttpPut"
      ],
      "Resource": "*"
    }
  ]
}

2 个答案:

答案 0 :(得分:2)

当您为其他帐户创建“角色”时,您还需要设置“信任关系”。这是在“角色”下的AWS IAM控制台中完成的。您角色的第二个标签是“信任关系”。您需要将其他帐户的帐户详细信息指定为受信任。

“信任关系”本身就是一份政策文件。以下示例允许您将AssumeRole从另一个帐户调用到我的AWS账户。

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::2812XXXXYYYY:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

在您的角色中,只需像正在为另一个IAM用户/服务授予权限一样正常指定权限(例如,删除所有这些帐户类型条目)。信任关系策略文档定义了谁可以调用AssumeRole来授予这些权限。

Creating a Role to Delegate Permissions to an IAM User

Modifying a Role

答案 1 :(得分:2)

在上面的代码中,我将arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToSNS添加到AccountA ES访问列表中,这是错误的。而是执行以下操作:

我已经在ES访问列表中有arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch,我需要为该角色添加一个信任关系(来自IAM角色屏幕),以供AccountB使用。我将此添加到信任关系中:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::AccountB:root"
  },
  "Action": "sts:AssumeRole"
}

然后,在我的accountB lambda代码中,我需要承担这个角色。这是来自lambda的相关代码。

var AWS = require('aws-sdk');
var sts = new AWS.STS({ region: process.env.REGION });
var params = {
    RoleSessionName: "hello-cross-account-session",
    RoleArn: "arn:aws:iam::accountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
    DurationSeconds: 900
};
sts.assumeRole(params, function (err, data) {
    if (err) {
        console.log(err, err.stack); // an error occurred
        context.fail('failed to assume role ' + err);
        return;
    }
    log("assumed role successfully! %j", data)
    postToES(bulkUpdateCommand, context);
});