我在帐户“A”中有一个AWS ElasticSearch集群。
我试图在帐户“B”中创建一个lambda(通过API触发),它将从帐户“A”中的ES获取数据。
我收到以下错误:
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole is not authorized to perform: es:ESHttpPost because no resource-based policy allows the es:ESHttpPost action"ES安全配置中的“我的访问”策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List of IP Addresses
]
}
}
}
]
}我修改了访问策略,但仍然面临同样的问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:AccountA:domain/domainName/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
List Of Ip Addresses
]
}
}
}
]
}
1条答案
按热度按时间cs7cruho1#
尝试显式允许角色
arn:aws:sts::AccountB:assumed-role/lambdaRole在AccountA中的Elasticsearch域上执行所有操作。