AWS Firehose 交付到 VPC 中的跨账户 Elasticsearch
[英]AWS Firehose delivery to Cross Account Elasticsearch in VPC
问题描述
I have a Elasticsearch inside the VPC running in account A.
我在账户 A 中运行的 VPC 中有一个 Elasticsearch。
I want to deliver logs from Firehose in Account B to the Elasticsearch in Account A.我想将来自账户 B 中 Firehose 的日志传送到账户 A 中的 Elasticsearch。
Is it possible?可能吗?
When I try to create delivery stream from AWS CLI I am getting below exception,当我尝试从 AWS CLI 创建交付 stream 时,我遇到了异常,
$: /usr/local/bin/aws firehose create-delivery-stream --cli-input-json file://input.json --profile devops
An error occurred (InvalidArgumentException) when calling the CreateDeliveryStream operation: Verify that the IAM role has access to the ElasticSearch domain.
The same IAM role, and same input.json works when modified to the Elasticsearch in Account B. I have Transit gateway connectivity enabled between the AWS accounts and I can connect telnet to the Elasticsearch in Account A from EC2 instance in Account B.相同的 IAM 角色和相同的输入。当修改为账户 B 中的 Elasticsearch 时,json 可以工作。我在 AWS 账户之间启用了 Transit 网关连接,并且我可以从账户 BDD 连接到账户 A 中的实例 EC2 中的 Elasticsearch。
Adding my complete terraform code(i got same exception in AWS CLI and also in Terraform): https://gist.github.com/karthikeayan/a67e93b4937a7958716dfecaa6ff7767 Adding my complete terraform code(i got same exception in AWS CLI and also in Terraform): https://gist.github.com/karthikeayan/a67e93b4937a7958716dfecaa6ff7767
3 个解决方案
解决方案1
0 2020-05-12 13:39:11
It looks like you haven't granted sufficient permissions to the role that is used when creating the stream (from the CLI example provided I'm guessing its a role named 'devops').看起来您没有为创建 ZF7B44CFFAFD5C52223D5498196C8A2E7BZ 时使用的角色授予足够的权限(从提供的 CLI 示例中,我猜测它是一个名为“devops”的角色)。 At minimum you will need firehose: CreateDeliveryStream .至少你需要firehose: CreateDeliveryStream 。
I suggest adding the below permissions to your role:我建议为您的角色添加以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"firehose:PutRecord",
"firehose:CreateDeliveryStream",
"firehose:UpdateDestination"
],
"Resource": "*"
}
]
}
解决方案2
0 2020-05-20 10:46:56
https://forums.aws.amazon.com/message.jspa?messageID=943731 https://forums.aws.amazon.com/message.jspa?messageID=943731
I have been informed from AWS forum that this feature is currently not supported.我从 AWS 论坛获悉,目前不支持此功能。
解决方案3
0 2022-08-12 14:26:26
You can set up Kinesis Data Firehose and its dependencies, such as Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch, to stream across different accounts.您可以跨不同账户将 Kinesis Data Firehose 及其依赖项(例如 Amazon Simple Storage Service (Amazon S3) 和 Amazon CloudWatch)设置为 stream。 Streaming data delivery works for publicly accessible OpenSearch Service clusters whether or not fine-grained access control (FGAC) is enabled无论是否启用细粒度访问控制 (FGAC),流式数据传输都适用于可公开访问的 OpenSearch 服务集群
https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/ https://aws.amazon.com/premiumsupport/knowledge-center/kinesis-firehose-cross-account-streaming/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.