我正在尝试为我在AWS上的elasticsearch注册快照。我的目标是在s3存储桶上创建elasticsearch域的快照。下面是我正在使用的命令:
curl -XPUT https://vpc-xxxxxxx.ap-southeast-2.es.amazonaws.com/_snapshot/es-snapshot -d '
{
"type": "s3",
"settings": {
"bucket": "$MY_BUCKET",
"region": "ap-southeast-2",
"role_arn": "arn:aws:iam::xxxx:role/es-snapshot-role"
}
}'
但是我得到了这个错误:
{"Message":"User: anonymous is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxx:role/es-snapshot-role"}
这似乎是角色权限问题。我已将角色策略配置为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"es:*",
"s3:*",
"iam:PassRole",
"es:ESHttpPut"
],
"Resource": [
"*"
]
}
]
}
其信任关系为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我想知道我在这里还想念什么。
这篇文章AccessDenied for EC2 Instance with attached IAM Role似乎与我的问题无关。
答案 0 :(得分:1)
注册手动快照存储库
您必须先向Amazon Elasticsearch Service注册快照存储库,然后才能进行手动索引快照。此一次性操作要求您使用允许访问TheSnapshotRole的凭证对AWS请求进行签名,如Manual Snapshot Prerequisites中所述。
您不能使用curl来执行此操作,因为它不支持AWS请求签名。而是使用sample Python client,Postman或其他方法发送signed request来注册快照存储库。该请求采用以下形式:
PUT elasticsearch-domain-endpoint/_snapshot/my-snapshot-repo
{
"type": "s3",
"settings": {
"bucket": "s3-bucket-name",
"region": "region",
"role_arn": "arn:aws:iam::123456789012:role/TheSnapshotRole"
}
}
AWS文档参考:Working with Amazon Elasticsearch Service Index Snapshots
答案 1 :(得分:0)
对您的IAM用户具有iam:PassRole权限并尝试使用该命令,