AWS Elasticsearch Service:编写此访问策略的正确方法?

时间:2019-03-05 18:58:40

标签: amazon-web-services elasticsearch amazon-iam

我有一项服务,该服务在启动时调用DescribeElasticsearchDomain到特定域(以获取URI),并且该调用失败。

我发现这有点令人困惑,因为该域具有一个访问策略,我相信它可以为DescribeElasticsearchDomain打开它以访问AWS的任何内容(老实说,这可能是以下代码错误的地方-编写方式有点可疑) 。

这是错误:

org.springframework.beans.BeanInstantiationException: Failed to instantiate [classname]: Constructor threw exception; nested exception is com.amazonaws.services.elasticsearch.model.AWSElasticsearchException: User: arn:aws:sts::{account-id}:assumed-role/{long-role-info} is not authorized to perform: es:DescribeElasticsearchDomain on resource: arn:aws:es:{region}:{account-id}:domain/{domain-name} (Service: AWSElasticsearch; Status Code: 403; Error Code: AccessDeniedException; Request ID: 22e29929-3c70-11e9-97e9-edb3ab09a546)

访问策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "es:DescribeElasticsearchDomain",
        "es:DescribeElasticsearchDomains"
      ],
      "Resource": "arn:aws:es:{region}:{account-id}:domain/{domain-name}/*"
    }
  ]
}

有人知道如何正确执行此操作吗?

编辑:我还将包括拨打电话的代码

    private static String fetchElasticUri(String env) {
        AWSElasticsearch awsElasticsearch = AWSElasticsearchClientBuilder.defaultClient();

        DescribeElasticsearchDomainRequest describeElasticsearchDomainRequest = new DescribeElasticsearchDomainRequest()
            .withDomainName(domain-name);
        DescribeElasticsearchDomainResult describeElasticsearchDomainResult = awsElasticsearch.describeElasticsearchDomain(describeElasticsearchDomainRequest);
        ElasticsearchDomainStatus elasticsearchDomainStatus = describeElasticsearchDomainResult.getDomainStatus();
        return "https://" + elasticsearchDomainStatus.getEndpoints().get("vpc");
    }

1 个答案:

答案 0 :(得分:1)

资源策略(附加到es域)允许任何人执行操作(es:Describe ....),但是代码所使用的角色是否允许承担该角色的实体执行(es:Describe) ...)?在未明确允许的情况下,对es动作存在隐式拒绝。

在角色策略中添加es:*并重新测试您的方案。