AWS Elastic Search Policy,只允许lambda访问Elastic Search
AWS Elastic Search Policy, only allow lambda to access Elastic Search
我正在 AWS 上设置一个 ElasticSearch 实例。我的目标是只允许从我的 Lambda 函数到 ElasticSearch 实例的 http 请求。我创建了一个策略,它给出了'Lambdaaccess to theElasticSearchinstance. The part I'm struggling with is the inline resource policy forElasticSearchthat will deny all other request that aren't from the 'Lambda。
我已经尝试将 ElasticSearch 资源策略设置为 Deny 所有请求,然后给我的 Lambda 一个可以访问 ElasticSearch. 的角色,而 Lambda 正在使用该角色 我正在使用 axios and aws4 签署我的 http 请求,但请求被拒绝 The request signature we calculated does not match the signature you provided. 我不认为问题是请求的实际签署,而是我创建的策略。如果有人能引导我朝着正确的方向前进,那将非常有帮助。
Lambda Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:CreateElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags",
"es:ESHttpDelete",
"es:GetUpgradeHistory",
"es:AddTags",
"es:ESHttpHead",
"es:RemoveTags",
"es:DeleteElasticsearchDomain",
"es:DescribeElasticsearchDomain",
"es:UpgradeElasticsearchDomain",
"es:ESHttpPost",
"es:UpdateElasticsearchDomainConfig",
"es:GetUpgradeStatus",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:us-east-1:,accountid>:domain/<es-instance>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"es:PurchaseReservedElasticsearchInstance",
"es:DeleteElasticsearchServiceRole"
],
"Resource": "*"
}
]
}
ElasticSearch Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-east-1:<account-number>:domain/<es-instance>/*"
}
]
}
Lambda Code Using Aws4 and Axios
//process.env.HOST = search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com
function createRecipesIndex(url, resolve, reject){
axios(aws4.sign({
host: process.env.HOST,
method: "PUT",
url: "https://" + process.env.HOST,
path: '/recipes/',
}))
.then(response => {
console.log("----- SUCCESS INDEX CREATED -----");
resolve();
})
.catch(error => {
console.log("----- FAILED TO CREATE INDEX -----");
console.log(error);
reject();
});
}
注意:我尝试创建索引时将 ElasticSearch 上的内联策略设置为允许 *(all) 并删除 aws4 库签名,它工作正常。现在我只想保护对该资源的访问。
我找到了我的问题的解决方案,而且是 2 倍。第一个问题是我的 ElasticSearch 实例上的内联 resource policy。我需要更新它以允许我赋予 Lambda 的角色。这是通过从 IAM 获取 role arn 然后创建以下策略以内联附加到 ElasticSearch 实例来完成的。
我的第二个问题是 aws4。我设置的 path 和 url 不匹配。我的路径 /xxxx/ 而我的 url 是 https://search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com/xxxx。由于 path 包含在 url 中找不到的额外正斜杠,因此签名失败。对于使用该库的任何其他人,请确保这些值是一致的。我希望这对将来的其他人有所帮助 :D
Elastic Search Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:role/service-role/<role-name>"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:<account-id>:domain/<es-instance>/*"
}
]
}
我正在 AWS 上设置一个 ElasticSearch 实例。我的目标是只允许从我的 Lambda 函数到 ElasticSearch 实例的 http 请求。我创建了一个策略,它给出了'Lambdaaccess to theElasticSearchinstance. The part I'm struggling with is the inline resource policy forElasticSearchthat will deny all other request that aren't from the 'Lambda。
我已经尝试将 ElasticSearch 资源策略设置为 Deny 所有请求,然后给我的 Lambda 一个可以访问 ElasticSearch. 的角色,而 Lambda 正在使用该角色 我正在使用 axios and aws4 签署我的 http 请求,但请求被拒绝 The request signature we calculated does not match the signature you provided. 我不认为问题是请求的实际签署,而是我创建的策略。如果有人能引导我朝着正确的方向前进,那将非常有帮助。
Lambda Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:CreateElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags",
"es:ESHttpDelete",
"es:GetUpgradeHistory",
"es:AddTags",
"es:ESHttpHead",
"es:RemoveTags",
"es:DeleteElasticsearchDomain",
"es:DescribeElasticsearchDomain",
"es:UpgradeElasticsearchDomain",
"es:ESHttpPost",
"es:UpdateElasticsearchDomainConfig",
"es:GetUpgradeStatus",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:us-east-1:,accountid>:domain/<es-instance>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"es:PurchaseReservedElasticsearchInstance",
"es:DeleteElasticsearchServiceRole"
],
"Resource": "*"
}
]
}
ElasticSearch Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-east-1:<account-number>:domain/<es-instance>/*"
}
]
}
Lambda Code Using Aws4 and Axios
//process.env.HOST = search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com
function createRecipesIndex(url, resolve, reject){
axios(aws4.sign({
host: process.env.HOST,
method: "PUT",
url: "https://" + process.env.HOST,
path: '/recipes/',
}))
.then(response => {
console.log("----- SUCCESS INDEX CREATED -----");
resolve();
})
.catch(error => {
console.log("----- FAILED TO CREATE INDEX -----");
console.log(error);
reject();
});
}
注意:我尝试创建索引时将 ElasticSearch 上的内联策略设置为允许 *(all) 并删除 aws4 库签名,它工作正常。现在我只想保护对该资源的访问。
我找到了我的问题的解决方案,而且是 2 倍。第一个问题是我的 ElasticSearch 实例上的内联 resource policy。我需要更新它以允许我赋予 Lambda 的角色。这是通过从 IAM 获取 role arn 然后创建以下策略以内联附加到 ElasticSearch 实例来完成的。
我的第二个问题是 aws4。我设置的 path 和 url 不匹配。我的路径 /xxxx/ 而我的 url 是 https://search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com/xxxx。由于 path 包含在 url 中找不到的额外正斜杠,因此签名失败。对于使用该库的任何其他人,请确保这些值是一致的。我希望这对将来的其他人有所帮助 :D
Elastic Search Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:role/service-role/<role-name>"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:<account-id>:domain/<es-instance>/*"
}
]
}