我正在ElasticSearch上建立一个AWS实例。我的目标是仅允许从我的Lambda函数到ElasticSearch实例的http请求。我创建了一个策略,该策略为'Lambda access to the ElasticSearch instance. The part I'm struggling with is the inline resource policy for ElasticSearch that will deny all other request that aren't from the 'Lambda。
我尝试将ElasticSearch资源策略设置为Deny所有请求,然后给我的Lambda一个有权访问ElasticSearch.的角色,而Lambda是使用该角色,我正在使用axios和aws4对我的http请求进行签名,但是该请求被The request signature we calculated does not match the signature you provided.拒绝了。我不认为问题不是请求的实际签名,而是策略我创建。如果有人可以引导我朝正确的方向发展,那将真的有所帮助。
Lambda Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:CreateElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags",
"es:ESHttpDelete",
"es:GetUpgradeHistory",
"es:AddTags",
"es:ESHttpHead",
"es:RemoveTags",
"es:DeleteElasticsearchDomain",
"es:DescribeElasticsearchDomain",
"es:UpgradeElasticsearchDomain",
"es:ESHttpPost",
"es:UpdateElasticsearchDomainConfig",
"es:GetUpgradeStatus",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:us-east-1:,accountid>:domain/<es-instance>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"es:PurchaseReservedElasticsearchInstance",
"es:DeleteElasticsearchServiceRole"
],
"Resource": "*"
}
]
}
ElasticSearch Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-east-1:<account-number>:domain/<es-instance>/*"
}
]
}
Lambda Code Using Aws4 and Axios
//process.env.HOST = search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com
function createRecipesIndex(url, resolve, reject){
axios(aws4.sign({
host: process.env.HOST,
method: "PUT",
url: "https://" + process.env.HOST,
path: '/recipes/',
}))
.then(response => {
console.log("----- SUCCESS INDEX CREATED -----");
resolve();
})
.catch(error => {
console.log("----- FAILED TO CREATE INDEX -----");
console.log(error);
reject();
});
}
注意:我尝试使用将ElasticSearch上的内联策略设置为允许*(all)创建索引,并删除aws4库签名,它可以正常工作。现在,我只想确保对此资源的访问权限。
答案 0 :(得分:0)
我找到了解决我问题的方法,它是2折。第一个问题是我在resource policy实例上的内联ElasticSearch。我需要对其进行更新,以允许我赋予Lambda角色。这是通过从role arn获取IAM,然后创建以下策略以内联方式附加在ElasticSearch实例上来完成的。
我的第二个问题是aws4。我设置的path和url不匹配。我的路径是/xxxx/,而我的网址是https://search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com/xxxx。由于path包含url中找不到的多余的正斜杠,因此签名失败。对于使用该库的其他任何人,请确保这些值是一致的。我希望这对以后的人有所帮助:D
Elastic Search Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:role/service-role/<role-name>"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:<account-id>:domain/<es-instance>/*"
}
]
}