AWS ElasticSearch将数据写入帐户"A"来自帐户"B"中的lambda [英] AWS ElasticSearch write to account "A" from lambda in account "B"

查看:144
本文介绍了AWS ElasticSearch将数据写入帐户"A"来自帐户"B"中的lambda的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我的帐户"A"中有一个AWS ElasticSearch集群.

I have an AWS ElasticSearch Cluster in account "A".

我正在尝试在帐户"B"中创建一个lambda(从DynamoDB流触发),并将其写入帐户"A"中的ES.

I'm trying to create a lambda (triggered from a DynamoDB Stream) in account "B" that will write to ES in account "A".

我遇到以下错误:

{
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES is not authorized to perform: es:ESHttpPost on resource: beta-na-lifeguard"
}

我尝试将STS和ROLE放到ES访问策略中(在帐户"A"中),但没有成功.这是我的政策:

I have tried putting the STS as well as the ROLE into the ES access policy (within account "A") with no luck. Here is my policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountA:user/beta-elasticsearch-admin"
      },
      "Action": "es:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::AccountA:user/beta-elasticsearch-readwrite",
          "arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
          "arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES",
          "arn:aws:iam::AccountB:role/service-role/lambdaRole1"
        ]
      },
      "Action": [
        "es:ESHttpGet",
        "es:ESHttpPost",
        "es:ESHttpPut"
      ],
      "Resource": "*"
    }
  ]
}

推荐答案

在上面的代码中,我将arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToSNS添加到AccountA ES访问列表中,这是错误的.而是执行以下操作:

In my code above I was adding arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToSNS into the AccountA ES access list, that is wrong. Instead do the following:

我在ES访问列表中已经有arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch,我需要添加一个信任关系(从IAM角色屏幕),以便AccountB可以假定该角色.我将此添加到信任关系中:

I already had arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch in the ES access list, I needed to add a trust relationship (from the IAM role screen) for that role to be assumable by AccountB. I added this into the trust relationship:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::AccountB:root"
  },
  "Action": "sts:AssumeRole"
}

然后,在我的accountB lambda代码中,我需要承担该角色.这是来自lambda的相关代码.

Then, in my accountB lambda code, I needed to assume that role. Here is the relevent code from the lambda.

var AWS = require('aws-sdk');
var sts = new AWS.STS({ region: process.env.REGION });
var params = {
    RoleSessionName: "hello-cross-account-session",
    RoleArn: "arn:aws:iam::accountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
    DurationSeconds: 900
};
sts.assumeRole(params, function (err, data) {
    if (err) {
        console.log(err, err.stack); // an error occurred
        context.fail('failed to assume role ' + err);
        return;
    }
    log("assumed role successfully! %j", data)
    postToES(bulkUpdateCommand, context);
});

这篇关于AWS ElasticSearch将数据写入帐户"A"来自帐户"B"中的lambda的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆