我有一项服务,该服务在启动时调用DescribeElasticsearchDomain到特定域(以获取URI),并且该调用失败。
我发现这有点令人困惑,因为该域具有一个访问策略,我相信它可以为DescribeElasticsearchDomain打开它以访问AWS的任何内容(老实说,这可能是以下代码错误的地方-编写方式有点可疑) 。
这是错误:
org.springframework.beans.BeanInstantiationException: Failed to instantiate [classname]: Constructor threw exception; nested exception is com.amazonaws.services.elasticsearch.model.AWSElasticsearchException: User: arn:aws:sts::{account-id}:assumed-role/{long-role-info} is not authorized to perform: es:DescribeElasticsearchDomain on resource: arn:aws:es:{region}:{account-id}:domain/{domain-name} (Service: AWSElasticsearch; Status Code: 403; Error Code: AccessDeniedException; Request ID: 22e29929-3c70-11e9-97e9-edb3ab09a546)
访问策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains"
],
"Resource": "arn:aws:es:{region}:{account-id}:domain/{domain-name}/*"
}
]
}
有人知道如何正确执行此操作吗?
编辑:我还将包括拨打电话的代码
private static String fetchElasticUri(String env) {
AWSElasticsearch awsElasticsearch = AWSElasticsearchClientBuilder.defaultClient();
DescribeElasticsearchDomainRequest describeElasticsearchDomainRequest = new DescribeElasticsearchDomainRequest()
.withDomainName(domain-name);
DescribeElasticsearchDomainResult describeElasticsearchDomainResult = awsElasticsearch.describeElasticsearchDomain(describeElasticsearchDomainRequest);
ElasticsearchDomainStatus elasticsearchDomainStatus = describeElasticsearchDomainResult.getDomainStatus();
return "https://" + elasticsearchDomainStatus.getEndpoints().get("vpc");
}
答案 0 :(得分:1)
资源策略(附加到es域)允许任何人执行操作(es:Describe ....),但是代码所使用的角色是否允许承担该角色的实体执行(es:Describe) ...)?在未明确允许的情况下,对es动作存在隐式拒绝。
在角色策略中添加es:*并重新测试您的方案。