[英]How to solve the error ""Message":"User: anonymous is not authorized to perform: iam:PassRole on resource"
I am trying to register a snapshot for my elasticsearch on AWS.我正在尝试在 AWS 上为我的 elasticsearch 注册快照。 My goal is to create a snapshot of elasticsearch domain on a s3 bucket.
我的目标是在 s3 存储桶上创建弹性搜索域的快照。 Below is the command I am using:
以下是我正在使用的命令:
curl -XPUT https://vpc-xxxxxxx.ap-southeast-2.es.amazonaws.com/_snapshot/es-snapshot -d '
{
"type": "s3",
"settings": {
"bucket": "$MY_BUCKET",
"region": "ap-southeast-2",
"role_arn": "arn:aws:iam::xxxx:role/es-snapshot-role"
}
}'
But I got this error:但我收到了这个错误:
{"Message":"User: anonymous is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxx:role/es-snapshot-role"}
It seems like a role permission issue.这似乎是一个角色权限问题。 I have configured the role policy as:
我已将角色策略配置为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"es:*",
"s3:*",
"iam:PassRole",
"es:ESHttpPut"
],
"Resource": [
"*"
]
}
]
}
And its trust relationship is:其信任关系为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I wonder what else I missed here.我想知道我在这里还错过了什么。
This post AccessDenied for EC2 Instance with attached IAM Role
doesn't seem to relate to my issue.这篇文章
AccessDenied for EC2 Instance with attached IAM Role
似乎与我的问题无关。
Registering a Manual Snapshot Repository注册手动快照存储库
You must register a snapshot repository with Amazon Elasticsearch Service before you can take manual index snapshots.
您必须先向 Amazon Elasticsearch Service 注册快照存储库,然后才能拍摄手动索引快照。 This one-time operation requires that you sign your AWS request with credentials that are allowed to access TheSnapshotRole, as described in Manual Snapshot Prerequisites .
此一次性操作要求您使用允许访问 TheSnapshotRole 的凭证对您的 AWS 请求进行签名,如手动快照先决条件中所述。
You can't use curl to perform this operation, because it doesn't support AWS request signing.
您不能使用 curl 来执行此操作,因为它不支持 AWS 请求签名。 Instead, use the sample Python client , Postman , or some other method to send a signed request to register the snapshot repository.
相反,使用示例 Python 客户端、 Postman或其他一些方法发送签名请求以注册快照存储库。 The request takes the following form:
请求采用以下形式:
PUT elasticsearch-domain-endpoint/_snapshot/my-snapshot-repo
{
"type": "s3",
"settings": {
"bucket": "s3-bucket-name",
"region": "region",
"role_arn": "arn:aws:iam::123456789012:role/TheSnapshotRole"
}
}
Reference from AWS Documentation: Working with Amazon Elasticsearch Service Index Snapshots AWS 文档中的参考: 使用 Amazon Elasticsearch Service 索引快照
向您的 IAM 用户添加iam:PassRole
权限并尝试命令,
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.