如何从 Amazon elasticsearch 服务访问 Kibana? [英] How to access Kibana from Amazon elasticsearch service?
问题描述
我创建了 Amazon elasticsearch 服务,并使用安装在 EC2 实例上的 logstash 将数据填充到其中.在 Amazon elasticservice 控制台页面上,会有一个访问 Kibana 的链接.
I created Amazon elasticsearch service and populated data into it using logstash, which has been installed on an EC2 instance. On the Amazon elasticservice console page, there will be a link to access Kibana.
search-cluster_name-XXXXXXXXXXXXXXXXXXX.region_name.es.amazonaws.com/_plugin/kibana/
当我点击链接时,浏览器抛出以下错误.
when I click the link, browser is throwing the following error.
{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:region_name:account_id:domain/cluster_name/_plugin/kibana/"}
我确定这与 ES 域的访问策略有关.我应该如何修改我的访问策略,以便我可以通过单击指定的链接访问 Kibana?
I'm sure that this has something related with access policy of ES domain.How should I modify my access policy so that I can access Kibana from a click on the link specified ?
推荐答案
您可以使用基于 IAM 和 IP 地址的访问来设置访问策略.在此处查看我的答案.简而言之:
You can setup an Access Policy with both IAM and IP-address based access. See my answer here. In short:
- EC2 实例需要具有
arn:aws:iam::aws:policy/AmazonESFullAccess
策略的配置文件 - 策略应包括两个声明:第一个列出 IAM 访问权限,第二个列出 IP 访问权限.
这是一个示例策略(语句顺序很重要!)
Here's an example policy (statement order is important!)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-west-2:xxxxxxxxxxxx:domain/my-elasticsearch-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"192.168.1.0",
"192.168.1.1"
]
}
}
}
]
}
这篇关于如何从 Amazon elasticsearch 服务访问 Kibana?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!