【发布时间】:2020-07-13 03:14:06
【问题描述】:
我有两个 AWS 账户,一个 AWS 账户“A”包含 Cloud Watch,其中包含数据流(之前我创建了订阅者以使用 AWS 控制台将日志发送到同一账户中的 Elastic Search 实例,它工作得很好) 所以我删除了以前的订阅者并为账户 B 创建了一个(使用账户 B ARN 和域) 当我尝试流式传输日志时,我在转发日志的 Lambda 中遇到了以下错误:
{
"errorType": "Error",
"errorMessage": "{\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
"stack": [
"Error: {\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
" at _homogeneousError (/var/runtime/CallbackContext.js:13:12)",
" at postError (/var/runtime/CallbackContext.js:30:51)",
" at done (/var/runtime/CallbackContext.js:57:7)",
" at fail (/var/runtime/CallbackContext.js:69:7)",
" at Object.fail (/var/runtime/CallbackContext.js:105:16)",
" at /var/task/index.js:42:25",
" at IncomingMessage.<anonymous> (/var/task/index.js:176:13)",
" at IncomingMessage.emit (events.js:203:15)",
" at endReadableNT (_stream_readable.js:1145:12)",
" at process._tickCallback (internal/process/next_tick.js:63:19)"
]
}
我有以下 IAM 角色:
帐户 A lambda 角色
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:*:<account B id>:*"
}
]
}
帐户 B 角色(具有信任关系):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "*"
}
]
}
Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account A id>:role/lambda_elasticsearch_execution"
},
"Action": "sts:AssumeRole"
}
]
}
我按照下面的指南进行操作,但仍然在相同的错误中运行
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/
有人知道我缺少什么吗?
提前致谢!
【问题讨论】:
标签: amazon-web-services aws-lambda amazon-iam amazon-cloudwatch aws-elasticsearch