我正在AWS
上设置一个ElasticSearch
实例。我的目标是只允许从Lambda
函数到ElasticSearch
实例的http请求。我创建了一个策略,该策略为"Lambdaaccess to the
ElasticSearchinstance. The part I'm struggling with is the inline resource policy for
ElasticSearchthat will deny all other request that aren't from the 'Lambda
"。
我尝试将ElasticSearch
资源策略设置为Deny
all请求,然后给我的Lambda
一个访问ElasticSearch.
的角色。当Lambda
使用该角色时,我正在使用axios和aw4对我的http请求进行签名,但请求被The request signature we calculated does not match the signature you provided.
拒绝了。我认为问题不在于请求的实际签名,而是我创建的策略。如果有人能引导我朝着正确的方向前进,那真的会有帮助。
Lambda Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:CreateElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags",
"es:ESHttpDelete",
"es:GetUpgradeHistory",
"es:AddTags",
"es:ESHttpHead",
"es:RemoveTags",
"es:DeleteElasticsearchDomain",
"es:DescribeElasticsearchDomain",
"es:UpgradeElasticsearchDomain",
"es:ESHttpPost",
"es:UpdateElasticsearchDomainConfig",
"es:GetUpgradeStatus",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:us-east-1:,accountid>:domain/<es-instance>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"es:PurchaseReservedElasticsearchInstance",
"es:DeleteElasticsearchServiceRole"
],
"Resource": "*"
}
]
}
ElasticSearch Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-east-1:<account-number>:domain/<es-instance>/*"
}
]
}
Lambda Code Using Aws4 and Axios
//process.env.HOST = search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com
function createRecipesIndex(url, resolve, reject){
axios(aws4.sign({
host: process.env.HOST,
method: "PUT",
url: "https://" + process.env.HOST,
path: '/recipes/',
}))
.then(response => {
console.log("----- SUCCESS INDEX CREATED -----");
resolve();
})
.catch(error => {
console.log("----- FAILED TO CREATE INDEX -----");
console.log(error);
reject();
});
}
注意:我已经尝试使用ElasticSearch
上的内联策略创建索引,该策略设置为允许*(all(并删除aws4
库签名,效果很好。现在我只想确保访问此资源的安全。
我找到了问题的解决方案,它是2倍。第一个问题是我的ElasticSearch
实例上的内联resource policy
。我需要更新它,以允许我赋予Lambda
的角色。这是通过从IAM
获取role arn
,然后创建以下策略以内联方式附加到ElasticSearch
实例上来完成的。
我的第二期是aws4
。CCD_ 26和CCD_。我的路径为/xxxx/
,而我的url为https://search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com/xxxx
。由于path
包含一个在url
中找不到的额外正斜杠,因此签名失败。对于其他使用库的人,请确保这些值是一致的。我希望这能在未来帮助其他人:D
Elastic Search Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:role/service-role/<role-name>"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:<account-id>:domain/<es-instance>/*"
}
]
}