【发布时间】:2020-10-01 18:28:16
【问题描述】:
所以除了最后一步,将数据从 Firehose 发送到 Elasticsearch 之外,我已经准备好了一切并且工作正常。
这是我在 Kinesis Firehose Elasticsearch 服务日志中遇到的错误:
Error received from Elasticsearch cluster. {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"},"status":403}
这是我附加的 IAM 政策(由 Firehose 自己制定)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test-kinesis-backup-mydna",
"arn:aws:s3:::test-kinesis-backup-mydna/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": "arn:aws:lambda:us-west-2:917877325894:function:%FIREHOSE_DEFAULT_FUNCTION%:%FIREHOSE_DEFAULT_VERSION%"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:DescribeElasticsearchDomainConfig",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": [
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"es:ESHttpGet"
],
"Resource": [
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_all/_settings",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_cluster/stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_mapping/",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/*/stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_stats"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-west-2:917877325894:log-group:/aws/kinesisfirehose/test_dynamodb:log-stream:*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:us-west-2:917877325894:stream/%FIREHOSE_STREAM_NAME%"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:917877325894:key/%SSE_KEY_ID%"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "kinesis.%REGION_NAME%.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:kinesis:arn": "arn:aws:kinesis:%REGION_NAME%:917877325894:stream/%FIREHOSE_STREAM_NAME%"
}
}
}
]
}
我尝试添加所有不同的策略,但无法使其正常工作,并且我不断收到完全相同的错误消息。
有什么建议吗?
【问题讨论】:
-
IAM 策略附加到什么? ES 域还是某个角色?
-
连接到 Kinesis Firehose
-
你确定你的ES域名叫
test-dynamodb吗?还有 ES 域的政策是什么? -
@Marcin 是的,它被称为 test-dynamodb。并且策略是 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "" ] }, "行动”:[“es:”],“资源”:“arn:aws:es:us-west-2:917877325894:domain/test-dynamodb2/*”}]}
-
这个政策是自动生成的吗?通常对于
es:,您将拥有es:*。原理类似。
标签: amazon-web-services amazon-iam amazon-kinesis amazon-kinesis-firehose amazon-elasticsearch