AWS ElasticSearch将数据写入帐户"A"来自帐户"B"中的lambda [英] AWS ElasticSearch write to account "A" from lambda in account "B"
问题描述
我的帐户"A"中有一个AWS ElasticSearch集群.
I have an AWS ElasticSearch Cluster in account "A".
我正在尝试在帐户"B"中创建一个lambda(从DynamoDB流触发),并将其写入帐户"A"中的ES.
I'm trying to create a lambda (triggered from a DynamoDB Stream) in account "B" that will write to ES in account "A".
我遇到以下错误:
{
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES is not authorized to perform: es:ESHttpPost on resource: beta-na-lifeguard"
}
我尝试将STS和ROLE放到ES访问策略中(在帐户"A"中),但没有成功.这是我的政策:
I have tried putting the STS as well as the ROLE into the ES access policy (within account "A") with no luck. Here is my policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:user/beta-elasticsearch-admin"
},
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:user/beta-elasticsearch-readwrite",
"arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
"arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES",
"arn:aws:iam::AccountB:role/service-role/lambdaRole1"
]
},
"Action": [
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": "*"
}
]
}
推荐答案
在上面的代码中,我将arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToSNS
添加到AccountA ES访问列表中,这是错误的.而是执行以下操作:
In my code above I was adding arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToSNS
into the AccountA ES access list, that is wrong. Instead do the following:
我在ES访问列表中已经有arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch
,我需要添加一个信任关系(从IAM角色屏幕),以便AccountB可以假定该角色.我将此添加到信任关系中:
I already had arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch
in the ES access list, I needed to add a trust relationship (from the IAM role screen) for that role to be assumable by AccountB. I added this into the trust relationship:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "sts:AssumeRole"
}
然后,在我的accountB lambda代码中,我需要承担该角色.这是来自lambda的相关代码.
Then, in my accountB lambda code, I needed to assume that role. Here is the relevent code from the lambda.
var AWS = require('aws-sdk');
var sts = new AWS.STS({ region: process.env.REGION });
var params = {
RoleSessionName: "hello-cross-account-session",
RoleArn: "arn:aws:iam::accountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
DurationSeconds: 900
};
sts.assumeRole(params, function (err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
context.fail('failed to assume role ' + err);
return;
}
log("assumed role successfully! %j", data)
postToES(bulkUpdateCommand, context);
});
这篇关于AWS ElasticSearch将数据写入帐户"A"来自帐户"B"中的lambda的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!