堆栈内存溢出
  简体   繁体   English

向AWS Elasticsearch Service添加多个域访问策略(静态IP和Lambda ARN)

[英]Add multiple domain access policy to AWS Elasticsearch Service (Static IP and Lambda ARN)

 原文  2016-09-01 08:30:03       amazon-web-services/ elasticsearch/ aws-lambda/ amazon-elasticsearch/ aws-access-policy

问题描述

After setting up AWS Elasticsearch, I installed Logstash and Kibana proxy on a static IP server, and added this domain access policy on ES and it's working fine: 设置AWS Elasticsearch之后,我在静态IP服务器上安装了Logstash和Kibana代理,并在ES上添加了这个域访问策略,它运行正常: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    }
  ]
}

Now I need to allow Lambda function to execute es:ESHttpDelete action on AWS ES, so I created the function with the existing role service-role/Elasticsearch then copied the relevent ARN from IAM Managment console to add it to AWS ES access policy, to come up with this: 现在我需要允许Lambda函数在AWS ES上执行es:ESHttpDelete操作,因此我使用现有角色service-role/Elasticsearch创建了该函数,然后从IAM Managment控制台复制了相关的ARN ,将其添加到AWS ES访问策略,想出这个: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}

The problem is on ES I should either choose domain access policy for Static IP or ARN but not both. 问题出在ES我应该为静态IP或ARN选择域访问策略,但不能同时选择两者。 When I tried to merge them manually not by using the console it didn't work. 当我尝试手动合并它们而不是使用控制台时,它不起作用。 I checked AWS documentation but they didn't mention if is that possible or not. 我检查了AWS文档,但他们没有提到是否可能。

1 个解决方案

解决方案1
 2  2017-01-20 13:45:18

You can add multiple policy statements inside the Statement array in the JSON format of policy. 您可以使用JSON格式的策略在Statement数组中添加多个策略语句。 So, your final policy would be something like: 所以,你的最终政策将是这样的: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "192.192.192.192"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam:: 323137313233:role/service-role/Elasticsearch"
        ]
      },
      "Action": [
        "es:*"
      ],
      "Resource": "arn:aws:es:ap-southeast-1:323137313233:domain/sg-es-logs/*"
    }
  ]
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将 aws lambda 权限添加到 aws elasticsearch 策略 - Add aws lambda permissions to aws elasticsearch policy 使用有限策略授予对 AWS Lambda 服务的访问权限 - Giving access to AWS Lambda service with limited policy 在 AWS Lambda 策略上添加多个用户或角色 - Add multiple user or role on AWS Lambda policy AWS Lambda static IP - AWS Lambda static IP AWS,Lambda 上的 Static IP - AWS, Static IP on Lambda 带有Lambda的AWS Rekognition –策略的正确ARN资源名称是什么? - AWS Rekognition with Lambda – what is the correct ARN ressource name for the policy? AWS Elasticsearch Service IAM 基于角色的访问策略 - AWS Elasticsearch Service IAM Role based Access Policy AWS Elasticsearch Service:编写此访问策略的正确方法? - AWS Elasticsearch Service: Proper Way to Write this Access Policy? 如何使用 lambda function AWS SAM 添加策略以访问密钥 - How to add policy to access secret with lambda function AWS SAM AWS Arn Kinesis访问多个流 - Aws arn kinesis access to multiple streams
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM