gpt4 book ai didi

amazon-web-services - AWS ElasticSearch 从账户 "A"中的 lambda 写入账户 "B"

转载 作者:行者123 更新时间:2023-12-02 22:10:36 26 4
gpt4 key购买 nike

我在账户“A”中有一个 AWS ElasticSearch 集群。

我正在尝试在帐户“B”中创建一个 lambda(从 DynamoDB 流触发),它将写入帐户“A”中的 ES。

我收到以下错误:

{
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES is not authorized to perform: es:ESHttpPost on resource: beta-na-lifeguard"
}

我曾尝试将 STS 和 ROLE 放入 ES 访问策略(在帐户“A”中),但没有成功。这是我的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:user/beta-elasticsearch-admin"
},
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:user/beta-elasticsearch-readwrite",
"arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
"arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES",
"arn:aws:iam::AccountB:role/service-role/lambdaRole1"
]
},
"Action": [
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": "*"
}
]
}

最佳答案

在我上面的代码中,我添加了 arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToSNS进入 AccountA ES 访问列表,这是错误的。而是执行以下操作:

我已经有了 arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch在 ES 访问列表中,我需要为 AccountB 可代入的角色添加信任关系(从 IAM 角色屏幕)。我将其添加到信任关系中:

{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "sts:AssumeRole"
}

然后,在我的 accountB lambda 代码中,我需要承担该角色。这是来自 lambda 的相关代码。
var AWS = require('aws-sdk');
var sts = new AWS.STS({ region: process.env.REGION });
var params = {
RoleSessionName: "hello-cross-account-session",
RoleArn: "arn:aws:iam::accountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
DurationSeconds: 900
};
sts.assumeRole(params, function (err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
context.fail('failed to assume role ' + err);
return;
}
log("assumed role successfully! %j", data)
postToES(bulkUpdateCommand, context);
});

关于amazon-web-services - AWS ElasticSearch 从账户 "A"中的 lambda 写入账户 "B",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46655097/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com