[英]AWS Cloudformation - Elasticsearch Access Control Policies Service Error InvalidTypeException
I want to limit access to my elasticsearch clusters on aws by defining Access Policies
that would limit access to iam users, a specific lambda function and the appsync api.我想通过定义限制访问 iam 用户、特定 lambda 函数和 appsync api 的
Access Policies
来限制对我在 aws 上的 elasticsearch 集群的Access Policies
。
I have defined the following access policies
in the elasticsearch resource on cloudformation, but this is failing with an error: Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;
我在 cloudformation 上的 elasticsearch 资源中定义了以下
access policies
,但失败并出现错误: Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;
Service: AWSElasticsearch; Status Code: 409; Error Code: InvalidTypeException;
How do I fix my policy so that it works?我如何修复我的政策以使其有效?
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"AccessPolicies": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
{
"Fn::Join": [
"",
[
"arn:aws:lambda:",
{"Ref": "AWS::Region"},
":",
{"Ref": "AWS::AccountId"},
":function:",
{"Ref": "DdEsLambdaFunctionName"},
"-",
{"Ref": "env"}
]
]
},
{
"Fn::Join": [
"",
[
{"Ref": "GraphQLAPI"},
"/*"
]
]
}
]
},
"Action": [
"es:ESHttp*"
]
},
{
"Effect": "Allow",
"Principal": [
{
"AWS": {
"Fn::Join": [
"",
[
"arn:aws:iam::",
{"Ref": "AWS::AccountId"},
":user/*"
]
]
}
}
],
"Action": "*"
}
]
},...}
Not sure if this is the core issue, but your first Principal
is incorrect.不确定这是否是核心问题,但您的第一个
Principal
不正确。
You specified Service
but you provide lambda ARN.您指定了
Service
但您提供了 lambda ARN。 The ARN is of type AWS
principal, not Service
. ARN 属于
AWS
委托人类型,而不是Service
类型。 Possibly GraphQLAPI
is also an ARN, which again is not a Service
principal, but AWS
Principal.可能
GraphQLAPI
也是一个 ARN,它也不是Service
委托人,而是AWS
委托人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.