AWS Cloudformation - Elasticsearch 访问控制策略服务错误 InvalidTypeException
[英]AWS Cloudformation - Elasticsearch Access Control Policies Service Error InvalidTypeException
问题描述
I want to limit access to my elasticsearch clusters on aws by defining Access Policies that would limit access to iam users, a specific lambda function and the appsync api.
我想通过定义限制访问 iam 用户、特定 lambda 函数和 appsync api 的Access Policies来限制对我在 aws 上的 elasticsearch 集群的Access Policies 。
I have defined the following access policies in the elasticsearch resource on cloudformation, but this is failing with an error: Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;我在 cloudformation 上的 elasticsearch 资源中定义了以下access policies ,但失败并出现错误: Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException; Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;
How do I fix my policy so that it works?我如何修复我的政策以使其有效?
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:",
{"Ref": "AWS::Region"},
":",
{"Ref": "AWS::AccountId"},
":function:",
{"Ref": "DdEsLambdaFunctionName"},
"-",
{"Ref": "env"}
]
]
},
{
"Fn::Join": [
"",
[
{"Ref": "GraphQLAPI"},
"/*"
]
]
}
]
},
"Action": [
"es:ESHttp*"
]
},
{
"Effect": "Allow",
"Principal": [
{
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref": "AWS::AccountId"},
":user/*"
]
]
}
}
],
"Action": "*"
}
]
},...}
1 个解决方案
解决方案1
0 2020-10-06 11:44:56
Not sure if this is the core issue, but your first Principal is incorrect.不确定这是否是核心问题,但您的第一个Principal不正确。
You specified Service but you provide lambda ARN.您指定了Service但您提供了 lambda ARN。 The ARN is of type AWS principal, not Service . ARN 属于AWS委托人类型,而不是Service类型。 Possibly GraphQLAPI is also an ARN, which again is not a Service principal, but AWS Principal.可能GraphQLAPI也是一个 ARN,它也不是Service委托人,而是AWS委托人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.