我的函数可以从本地 Jupyter 笔记本将单个文档和批量索引到我的 AWS Elasticsearch,但是当我部署到 Lambda 时,它不断返回此错误:
"errorMessage": "AuthorizationException(403, 'security_exception', 'no permissions for
[indices:data/write/bulk] and User [name=arn:aws:iam::xxxxxxxxxxxx:role/MyLambdaRole,
backend_roles=[arn:aws:iam::xxxxxxxxxxxx:role/MyLambdaRole], requestedTenant=null]')"
我的 Elasticsearch 域(v7.7)配置如下:
Fine-grained access control: Enabled
Master user type: Internal user database
SAML authentication: Disabled
Amazon Cognito for authentication: Disabled
Require HTTPS: Enabled
Encryption at rest: Enabled
KMS master keyarn:aws:kms:us-east-1:xxxxxxxxxxxxx:key/<aws/es key>
Node-to-node encryption: Enabled
域的访问策略包含:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "*"
}
]
}
MyLambdaRole 的 IAM 策略包含:
...
{
"Action": [
"es:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
在 Kibana 中,我已在 Security -> Role Mappings -> all_access 下映射了我的 AWS 管理员 IAM 用户和 MyLambdaRole。我尝试了不同的组合,将它们添加到后端角色并将它们添加到 security_manager。
Lambda 使用 AWS Signature v4 身份验证,elasticsearch 客户端版本为 7.7.0:
import boto3
from elasticsearch import Elasticsearch, RequestsHttpConnection, helpers
from requests_aws4auth import AWS4Auth
session = boto3.Session()
credentials = session.get_credentials().get_frozen_credentials()
awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, \
session.region_name, 'es', session_token=credentials.token)
host = 'search-es-domain.us-east-1.es.amazonaws.com'
es = Elasticsearch(
hosts = [{'host': host, 'port': 443}],
http_auth = awsauth
use_ssl = True,
verify_certs = True,
connection_class = RequestsHttpConnection
)
# Single indexing call
document = { my data }
es.index(index="my_index", doc_type="_doc", id=doc_id, body=document)
# Bulk indexing call
k = ({ my data })
helpers.bulk(es, k)
如果我更换http_auth = awsauth
使用我的 Kibana 凭证http_auth = (kibana_username, kibana_password)
它返回状态 200,但索引中没有创建新文档,这很奇怪。
我想知道我可能缺少什么或者我的配置可能在哪里被关闭。