部署无服务器应用程序失败-启用细粒度访问控制或对您的域应用限制性访问策略 [英] Deployment of servless app fails - Enable fine-grained access control or apply a restrictive access policy to your domain
本文介绍了部署无服务器应用程序失败-启用细粒度访问控制或对您的域应用限制性访问策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个无服务器应用程序,我想在其中部署ElasticSearch集群。我将其配置如下:
PostsSearch:
Type: AWS::Elasticsearch::Domain
Properties:
ElasticsearchVersion: '6.3'
DomainName: images-search-${self:provider.stage}
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
InstanceCount: 1
ZoneAwarenessEnabled: false
InstanceType: t2.small.elasticsearch
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 10
VolumeType: 'gp2'
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: '*'
Action: 'es:ESHttp*'
Resource: '*'
但是,我收到一个错误:
出现错误:PostSearch-启用细粒度访问控制或 对您的域应用限制性访问策略(服务: AWSElasticearch;状态码:400;错误码:ValidationException; 请求ID:be0eca95-23ae-4ac9-be81-67Cab37ccd70;代理:空)。
我应该如何修复此问题?
推荐答案
基于评论中的额外讨论。
不可能将ES域完全公开。CloudForment不允许这样做。因此,有三个选项 要从中选择。下面,我将在一个无服务器应用程序示例中展示其中的三个。这只是基本的问候世界 应用程序,它不以任何身份使用ES域,但我使用它来验证每个选项是否有效并且 可以使用无服务器框架部署,不会出错。
应用基于IP的条件
这将使您的域只允许访问单个IP地址或IP CIDR范围。 下面的示例限制对单个IP地址的访问。service: estest
provider:
name: aws
runtime: python3.8
stage: ${opt:stage, 'dev'}
region: ${opt:region, 'us-east-1'}
functions:
hello:
handler: handler.hello
resources:
Resources:
PostsSearch:
Type: AWS::Elasticsearch::Domain
Properties:
ElasticsearchVersion: '6.3'
DomainName: images-search-${self:provider.stage}
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
InstanceCount: 1
ZoneAwarenessEnabled: false
InstanceType: t2.small.elasticsearch
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 10
VolumeType: 'gp2'
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: '*'
Action: 'es:ESHttp*'
Resource: !Sub "arn:aws:es:${self:provider.region}:${AWS::AccountId}:domain/images-search-${self:provider.stage}/*"
Condition:
IpAddress:
aws:SourceIp: ["12.13.14.15"]
限制主体
您可以将对ES域的访问限制为选定的IAM用户或角色。这样,只有给定的 IAM用户/角色将能够访问ES域。在下面的文章中,我使用lambda现有的IAM角色 作为一项原则。该函数及其角色必须已存在。service: estest
provider:
name: aws
runtime: python3.8
stage: ${opt:stage, 'dev'}
region: ${opt:region, 'us-east-1'}
functions:
hello:
handler: handler.hello
resources:
Resources:
PostsSearch:
Type: AWS::Elasticsearch::Domain
Properties:
ElasticsearchVersion: '6.3'
DomainName: images-search-${self:provider.stage}
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
InstanceCount: 1
ZoneAwarenessEnabled: false
InstanceType: t2.small.elasticsearch
EBSOptions:
EBSEnabled: true
Iops: 0
VolumeSize: 10
VolumeType: 'gp2'
AccessPolicies:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: 'es:ESHttp*'
Principal:
AWS: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/lambda-function-es-role-b44mvudf"
Resource: !Sub "arn:aws:es:${self:provider.region}:${AWS::AccountId}:domain/images-search-${self:provider.stage}/*"
使用细粒度访问控制
此处的示例创建可公开访问的ES域,该域具有细粒度的控件
需要用户名和密码。此在自由层中不起作用。我也是
硬编码的用户名和密码,显然需要修改和
在实际应用程序中作为SSM Parameter store
中的参数提供。
service: estest
provider:
name: aws
runtime: python3.8
stage: ${opt:stage, 'dev'}
region: ${opt:region, 'us-east-1'}
functions:
hello:
handler: handler.hello
resources:
Resources:
PostsSearch:
Type: AWS::Elasticsearch::Domain
Properties:
DomainName: images-search-${self:provider.stage}
AccessPolicies: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}
]
}
AdvancedSecurityOptions:
Enabled: true
InternalUserDatabaseEnabled: true
MasterUserOptions:
MasterUserName: admin
MasterUserPassword: fD343sfdf!3rf
EncryptionAtRestOptions:
Enabled: true
NodeToNodeEncryptionOptions:
Enabled: true
DomainEndpointOptions:
EnforceHTTPS: true
EBSOptions:
EBSEnabled: true
VolumeSize: 20
VolumeType: gp2
ElasticsearchClusterConfig:
DedicatedMasterEnabled: false
InstanceCount: 1
InstanceType: c4.large.elasticsearch
ZoneAwarenessEnabled: false
ElasticsearchVersion: 7.7
这篇关于部署无服务器应用程序失败-启用细粒度访问控制或对您的域应用限制性访问策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文