我想使用此策略创建一个AWS Elasticsearch,以启用来自IAM角色的特定访问,设置管理IP和公共只读。 ES Console不断返回错误“错误设置策略”。我无法弄清楚为什么不允许这样做?
val mockResponse = AgeResponse()
Mockito.doReturn(Observable.just(mockResponse))
.`when`(mNetworkModel)
.preSubmit(ageRequest)
mPresenter.submit(nameRequest, ageRequest)
它在{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<id>:role/<lambda role 1 name>"
},
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:eu-west-1:<id>:domain/*/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<id>:role/<lambda role 2 name>"
},
"Action": "es:ESHttpDelete",
"Resource": "arn:aws:es:eu-west-1:<id>:domain/*/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:<id>:domain/*/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"<ip1>",
"<ip2>",
"<ip3>"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:ESHttpGet",
"Resource": "arn:aws:es:eu-west-1:<id>:domain/*/*"
}
]
}
和7.1版中。我已经尝试过像eu-west-1这样的变体,并且将主体放在一个数组中(就像在提供的模板中一样),但是这些都被拒绝了吗?我似乎只能有2条语句,每条语句有1个主体(es:*和这些IAM中的1个)。
有没有更好的推荐方法?就像把它放在API网关之类的东西后面一样。我在文档中看到了反向代理,但这似乎是一种荒谬的过度杀伤力和$$$。