在创建AWS Elasticsearch域时,我使用了基于IPv4的访问策略,我尝试使用我的公共IP地址或允许所有IP地址,但是在尝试使用Kibana时仍然无法访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxx:domain/xxxxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "*"
}
}
}
]
}
或
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxx:domain/xxxxxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "xx.xx.xx.xx/32"
}
}
}
]
}
当我单击Kibana
链接时,我总是会收到错误消息:
{
"Message": "User: anonymous is not authorized to perform: es:ESHttpGet"
}
关于访问策略配置的任何想法吗?
答案 0 :(得分:0)
我不认为“ aws:SourceIp”支持通配符。对于开放式访问策略,只需删除条件块:
[注意:不建议这样做,因为它将使您的集群对世界开放]
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxx:domain/xxxxx/*"
}
]
}
仅在将特定IP列入白名单时,访问策略应该起作用。也许将EC2实例公共IP列入白名单,然后尝试对实例进行卷曲,以确保ES群集没有问题。
curl <es-endpoint>
{
"name" : "xxxx",
"cluster_name" : "xxxx",
"cluster_uuid" : "xxxx",
"version" : {
"number" : "7.2.0",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "xxxx",
"build_date" : "xxxx",
"build_snapshot" : false,
"lucene_version" : "8.0.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}