【问题标题】:AWS : Create Cloud Watch log group subscriber to Elastic Search on another AWS accountAWS :在另一个 AWS 账户上创建 Elastic Search 的 Cloud Watch 日志组订阅者
【发布时间】:2020-07-13 03:14:06
【问题描述】:

我有两个 AWS 账户,一个 AWS 账户“A”包含 Cloud Watch,其中包含数据流(之前我创建了订阅者以使用 AWS 控制台将日志发送到同一账户中的 Elastic Search 实例,它工作得很好) 所以我删除了以前的订阅者并为账户 B 创建了一个(使用账户 B ARN 和域) 当我尝试流式传输日志时,我在转发日志的 Lambda 中遇到了以下错误:

{
    "errorType": "Error",
    "errorMessage": "{\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
    "stack": [
        "Error: {\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
        "    at _homogeneousError (/var/runtime/CallbackContext.js:13:12)",
        "    at postError (/var/runtime/CallbackContext.js:30:51)",
        "    at done (/var/runtime/CallbackContext.js:57:7)",
        "    at fail (/var/runtime/CallbackContext.js:69:7)",
        "    at Object.fail (/var/runtime/CallbackContext.js:105:16)",
        "    at /var/task/index.js:42:25",
        "    at IncomingMessage.<anonymous> (/var/task/index.js:176:13)",
        "    at IncomingMessage.emit (events.js:203:15)",
        "    at endReadableNT (_stream_readable.js:1145:12)",
        "    at process._tickCallback (internal/process/next_tick.js:63:19)"
    ]
}

我有以下 IAM 角色:

帐户 A lambda 角色

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "es:ESHttpPost",
            "Resource": "arn:aws:es:*:<account B id>:*"
        }
    ]
}

帐户 B 角色(具有信任关系):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "es:ESHttpPost",
            "Resource": "*"
        }
    ]
}

Trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account A id>:role/lambda_elasticsearch_execution"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我按照下面的指南进行操作,但仍然在相同的错误中运行

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/

有人知道我缺少什么吗?

提前致谢!

【问题讨论】:

    标签: amazon-web-services aws-lambda amazon-iam amazon-cloudwatch aws-elasticsearch


    【解决方案1】:

    我遇到了同样的问题...要解决这个问题并不像你想象的那么难。 让我们开始帐户 A(编号 1234567890)在 cloudwatch 中的日志组。账户 B(编号 0987654321)包含正在运行的弹性搜索 (ES)。帐户 A 正在运行 lambda 或使用角色名称 (SentCloudwatchToES)。 这是起点。现在转到账户 B,打开 ES 的策略。这是您在创建 ES 堆栈期间创建的策略。你可以通过AWS中的ES部分找到它! (转到 AWS 中的 ES,单击域,单击操作,修改访问策略)编辑策略,包含以下部分:

       {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::1234567890:role/service-role/SentCloudwatchToES",
            ]
          },
          "Action": "es:*",
          "Resource": "arn:aws:es:<YOUR-REGION>:0987654321:domain/<YOUR-ES-DOMIAN>/*"
        }
    

    安全,等待几分钟,以便 AWS 可以在 ES 中处理策略。 现在设置/配置从账户 A 到账户 B 到 ES 的日志流。

    【讨论】:

      猜你喜欢
      • 2018-11-12
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2019-12-02
      • 1970-01-01
      • 2021-10-12
      • 2021-06-26
      • 1970-01-01
      相关资源
      最近更新 更多