使用sig v4将数据从aws lambda索引到elasticsearch时出现403错误:“没有权限[indices:data/write/bulk] '

vbkedwbf  于 2021-06-10  发布在  ElasticSearch
关注(0)|答案(0)|浏览(476)

我的函数可以从本地jupyter笔记本将单个和批量文档索引到我的aws elasticsearch,但当我部署到lambda时,它会不断返回以下错误:

"errorMessage": "AuthorizationException(403, 'security_exception', 'no permissions for
[indices:data/write/bulk] and User [name=arn:aws:iam::xxxxxxxxxxxx:role/MyLambdaRole,
backend_roles=[arn:aws:iam::xxxxxxxxxxxx:role/MyLambdaRole], requestedTenant=null]')"

我的elasticsearch域(v7.7)配置如下:

Fine-grained access control: Enabled
Master user type: Internal user database
SAML authentication: Disabled
Amazon Cognito for authentication: Disabled
Require HTTPS: Enabled
Encryption at rest: Enabled
KMS master keyarn:aws:kms:us-east-1:xxxxxxxxxxxxx:key/<aws/es key>
Node-to-node encryption: Enabled

域的访问策略包含:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "*"
    }
  ]
}

mylambdarole的iam策略包含:

...
        {
            "Action": [
                "es:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]

在kibana中,我在security->role mappings->all\u access下Map了aws admin iam user和mylambdarole。我尝试了将它们添加到后端角色和将它们添加到安全管理器的不同组合。
lambda使用aws signature v4身份验证,elasticsearch客户端为7.7.0版:

import boto3
from elasticsearch import Elasticsearch, RequestsHttpConnection, helpers
from requests_aws4auth import AWS4Auth

session = boto3.Session()
credentials = session.get_credentials().get_frozen_credentials()

awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, \
    session.region_name, 'es', session_token=credentials.token)

host = 'search-es-domain.us-east-1.es.amazonaws.com'

es = Elasticsearch(
    hosts = [{'host': host, 'port': 443}],
    http_auth = awsauth
    use_ssl = True,
    verify_certs = True,
    connection_class = RequestsHttpConnection
)

# Single indexing call

document = { my data }
es.index(index="my_index", doc_type="_doc", id=doc_id, body=document)

# Bulk indexing call

k = ({ my data })
helpers.bulk(es, k)

如果我替换 http_auth = awsauth 用我的kibana证书 http_auth = (kibana_username, kibana_password) 它返回状态200,但是索引中没有创建新文档,这很奇怪。
我想知道我可能会错过什么或我的配置可能会关闭。

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题