我正在AWS上设置一个ElasticSearch实例。我的目标是只允许从Lambda函数到ElasticSearch实例的http请求。我创建了一个策略,该策略为"Lambdaaccess to theElasticSearchinstance. The part I'm struggling with is the inline resource policy forElasticSearchthat will deny all other request that aren't from the 'Lambda"。
我尝试将ElasticSearch资源策略设置为Denyall请求,然后给我的Lambda一个访问ElasticSearch.的角色。当Lambda使用该角色时,我正在使用axios和aw4对我的http请求进行签名,但请求被The request signature we calculated does not match the signature you provided.拒绝了。我认为问题不在于请求的实际签名,而是我创建的策略。如果有人能引导我朝着正确的方向前进,那真的会有帮助。
Lambda Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:CreateElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags",
"es:ESHttpDelete",
"es:GetUpgradeHistory",
"es:AddTags",
"es:ESHttpHead",
"es:RemoveTags",
"es:DeleteElasticsearchDomain",
"es:DescribeElasticsearchDomain",
"es:UpgradeElasticsearchDomain",
"es:ESHttpPost",
"es:UpdateElasticsearchDomainConfig",
"es:GetUpgradeStatus",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:us-east-1:,accountid>:domain/<es-instance>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"es:PurchaseReservedElasticsearchInstance",
"es:DeleteElasticsearchServiceRole"
],
"Resource": "*"
}
]
}
ElasticSearch Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-east-1:<account-number>:domain/<es-instance>/*"
}
]
}
Lambda Code Using Aws4 and Axios
//process.env.HOST = search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com
function createRecipesIndex(url, resolve, reject){
axios(aws4.sign({
host: process.env.HOST,
method: "PUT",
url: "https://" + process.env.HOST,
path: '/recipes/',
}))
.then(response => {
console.log("----- SUCCESS INDEX CREATED -----");
resolve();
})
.catch(error => {
console.log("----- FAILED TO CREATE INDEX -----");
console.log(error);
reject();
});
}
注意:我已经尝试使用ElasticSearch上的内联策略创建索引,该策略设置为允许*(all(并删除aws4库签名,效果很好。现在我只想确保访问此资源的安全。
我找到了问题的解决方案,它是2倍。第一个问题是我的ElasticSearch实例上的内联resource policy。我需要更新它,以允许我赋予Lambda的角色。这是通过从IAM获取role arn,然后创建以下策略以内联方式附加到ElasticSearch实例上来完成的。
我的第二期是aws4。CCD_ 26和CCD_。我的路径为/xxxx/,而我的url为https://search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com/xxxx。由于path包含一个在url中找不到的额外正斜杠,因此签名失败。对于其他使用库的人,请确保这些值是一致的。我希望这能在未来帮助其他人:D
Elastic Search Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-id>:role/service-role/<role-name>"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:<account-id>:domain/<es-instance>/*"
}
]
}