堆栈内存溢出
  简体   繁体   English

如何解决错误""Message":"User:anonymous is notauthorized to perform: iam:PassRole on resource"

[英]How to solve the error ""Message":"User: anonymous is not authorized to perform: iam:PassRole on resource"

 原文  2019-09-16 02:02:23       amazon-web-services/ amazon-iam/ aws-elasticsearch

问题描述

I am trying to register a snapshot for my elasticsearch on AWS.我正在尝试在 AWS 上为我的 elasticsearch 注册快照。 My goal is to create a snapshot of elasticsearch domain on a s3 bucket.我的目标是在 s3 存储桶上创建弹性搜索域的快照。 Below is the command I am using:以下是我正在使用的命令:

curl -XPUT https://vpc-xxxxxxx.ap-southeast-2.es.amazonaws.com/_snapshot/es-snapshot -d '
{
"type": "s3",
"settings": {
  "bucket": "$MY_BUCKET",
  "region": "ap-southeast-2",
  "role_arn": "arn:aws:iam::xxxx:role/es-snapshot-role"
}
}'

But I got this error:但我收到了这个错误:

{"Message":"User: anonymous is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxx:role/es-snapshot-role"}

It seems like a role permission issue.这似乎是一个角色权限问题​​。 I have configured the role policy as:我已将角色策略配置为:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "es:*",
                "s3:*",
                "iam:PassRole",
                "es:ESHttpPut"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

And its trust relationship is:其信任关系为:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "es.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I wonder what else I missed here.我想知道我在这里还错过了什么。

This post AccessDenied for EC2 Instance with attached IAM Role doesn't seem to relate to my issue.这篇文章AccessDenied for EC2 Instance with attached IAM Role似乎与我的问题无关。

2 个解决方案

解决方案1
 1 已采纳  2019-09-16 05:45:14

Registering a Manual Snapshot Repository注册手动快照存储库

You must register a snapshot repository with Amazon Elasticsearch Service before you can take manual index snapshots.您必须先向 Amazon Elasticsearch Service 注册快照存储库,然后才能拍摄手动索引快照。 This one-time operation requires that you sign your AWS request with credentials that are allowed to access TheSnapshotRole, as described in Manual Snapshot Prerequisites .此一次性操作要求您使用允许访问 TheSnapshotRole 的凭证对您的 AWS 请求进行签名,如手动快照先决条件中所述

You can't use curl to perform this operation, because it doesn't support AWS request signing.您不能使用 curl 来执行此操作,因为它不支持 AWS 请求签名。 Instead, use the sample Python client , Postman , or some other method to send a signed request to register the snapshot repository.相反,使用示例 Python 客户端Postman或其他一些方法发送签名请求以注册快照存储库。 The request takes the following form:请求采用以下形式:

PUT elasticsearch-domain-endpoint/_snapshot/my-snapshot-repo
{
  "type": "s3",
  "settings": {
    "bucket": "s3-bucket-name",
    "region": "region",
    "role_arn": "arn:aws:iam::123456789012:role/TheSnapshotRole"
  }
}

Reference from AWS Documentation: Working with Amazon Elasticsearch Service Index Snapshots AWS 文档中的参考: 使用 Amazon Elasticsearch Service 索引快照

解决方案2
 1  2019-09-16 06:29:05

向您的 IAM 用户添加iam:PassRole权限并尝试命令,

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 消息“:”用户:匿名无权执行:iam:PassRole - Message“:”User: anonymous is not authorized to perform: iam:PassRole 用户无权执行:iam:PassRole on resource error in create AWS codepipeline - User not authorized to perform: iam:PassRole on resource error in creating AWS codepipeline CloudFormation 无权对资源执行:iam:PassRole - CloudFormation is not authorized to perform: iam:PassRole on resource 放大,用户无权在资源上执行 iam:passRole - Amplify, User is not authorized to preform iam:passRole on resource 用户:anonymous 无权对资源执行:es:ESHttpPost: - User: anonymous is not authorized to perform: es:ESHttpPost on resource: 错误代码:AccessDeniedException。 用户:arn:aws:iam::xxx:user/xxx 无权执行:lambda:CreateEventSourceMapping on resource:* - Error code: AccessDeniedException. User: arn:aws:iam::xxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: * AWS IAM / QuickSight-用户无权执行:quicksight:资源上的GetDashboardEmbedUrl - AWS IAM / QuickSight - user is not authorized to perform: quicksight:GetDashboardEmbedUrl on resource IAM用户无权执行:在资源xxxx上使用明确拒绝的firehose:CreateDeliveryStream - Iam user not authorized to perform: firehose:CreateDeliveryStream on resource xxxx with an explicit deny Amazon SES 异常:IAM 用户无权对资源执行“ses:SendRawEmail” - Amazon SES Exception: IAM User is not authorized to perform `ses:SendRawEmail' on resource AWS EKS:用户无权执行:对资源执行 iam:CreateRole - AWS EKS: user is not authorized to perform: iam:CreateRole on resource
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM