我有一个AWS托管的Elasticsearch Service(例如smallES),该服务具有可正常运行的S3存储桶,该存储桶中包含过去1年的逐日滚动索引。由于某些业务原因,我创建了另一个AWS托管ES集群(例如bigES)。我要将过去1年的数据从bucket恢复到bigES。保证smallES bigES和bucket都在同一区域和同一VPC中。
因此,我创建了一个策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
并为该策略附加了角色。该角色的信任关系为
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
现在,当我在同一个VPC中通过http请求创建快照时,它可以为bigES创建快照存储库,我也可以查询
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_snapshot'
输出
{
"snapshot-repo": {
"type": "s3",
"settings": {
"bucket": "bucket",
"region": "region",
"role_arn": "role_arn"
}
}
}
但是当我尝试在此快照仓库中查看快照时,出现错误(如下所述)
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
我收到以下错误:
{
"error": {
"root_cause": [
{
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
}
],
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
},
"status": 500
}
我已经将s3的所有访问权限授予了我的角色,但是没有运气。我已经发布了来自VPC内部ec2机器的所有http请求。
还要提一下,如果我像下面这样查询,我会看到预期的结果
curl -XGET 'http://smallESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
IDK为什么我尝试制作一个具有如下信任关系的角色。还是没有运气。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
在此先感谢您提供任何帮助/建议。
答案 0 :(得分:1)
我使用以下政策解决了这个问题
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
],
"Version": "2012-10-17"
}
然后,我将策略附加到该角色上。我认为"iam:PassRole"已经完成了工作。
答案 1 :(得分:1)
我遇到了同样的问题,这是因为我不允许Elasticsearch服务担任该角色。我必须更新我的信任关系策略文档以包含es.amazonaws.com。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"es.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}