我有一个服务,可以使pricenteelasticsearchdomain呼叫启动启动(获取URI),并且该调用失败。
我觉得这有点令人困惑,因为该域具有访问策略,我认为它可以为AWS的任何内容打开它,以描述eellasticsearchdomain(老实说,这可能是下面的代码是错误的 - 书写方式有点可疑)。
这是错误:
org.springframework.beans.BeanInstantiationException: Failed to instantiate [classname]: Constructor threw exception; nested exception is com.amazonaws.services.elasticsearch.model.AWSElasticsearchException: User: arn:aws:sts::{account-id}:assumed-role/{long-role-info} is not authorized to perform: es:DescribeElasticsearchDomain on resource: arn:aws:es:{region}:{account-id}:domain/{domain-name} (Service: AWSElasticsearch; Status Code: 403; Error Code: AccessDeniedException; Request ID: 22e29929-3c70-11e9-97e9-edb3ab09a546)
和访问策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains"
],
"Resource": "arn:aws:es:{region}:{account-id}:domain/{domain-name}/*"
}
]
}
有人知道如何正确执行此操作?
编辑:我还将包括进行调用的代码
private static String fetchElasticUri(String env) {
AWSElasticsearch awsElasticsearch = AWSElasticsearchClientBuilder.defaultClient();
DescribeElasticsearchDomainRequest describeElasticsearchDomainRequest = new DescribeElasticsearchDomainRequest()
.withDomainName(domain-name);
DescribeElasticsearchDomainResult describeElasticsearchDomainResult = awsElasticsearch.describeElasticsearchDomain(describeElasticsearchDomainRequest);
ElasticsearchDomainStatus elasticsearchDomainStatus = describeElasticsearchDomainResult.getDomainStatus();
return "https://" + elasticsearchDomainStatus.getEndpoints().get("vpc");
}
资源策略(附加到ES域)允许任何人执行操作(ES:DECRICT ....),但是代码使用的角色是否允许实体假设执行的角色(ES:描述...)?在不明确允许的情况下,对ES行动有隐性的否认。
添加ES:*到角色策略并重新测试您的场景。