Question

我无法访问具有以下访问策略的AWS ES集群，我的IP是列出的IP之一，请告知您是否缺少某些内容。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "52.000.000.07",
            "54.00.000.000"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
          "arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*"
    }
  ]
}

Answer 1

我做了更多的挖掘工作，我相信这是您想要的：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::OUR_ACCOUNT_ID:role/xxxxx-prod-eb-role",
          "arn:aws:iam::OUR_ACCOUNT_ID:role/xxxx-staging-eb-role"
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-1:OUR_ACCOUNT_ID:domain/xxxx-xxxxx-poc/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "52.000.000.07",
            "54.00.000.000"
         ]
        }
      }
    }
  ]
}

我的repo wiki page

中有更多详细信息

无法访问AWS Elasticsearch集群，IAM策略问题

1 个答案: