[英]AWS SDK JavaScript - The request signature we calculated does not match the signature you provided
I am trying to sign my HTTP request from my Lambda function to access my Elasticsearch endpoint as described here .我正在尝试从我的 Lambda function 签署我的 HTTP 请求,以访问我的 Elasticsearch 端点,如此处所述。 I dont know is there a better way for doing this but I am getting status 403 error with the following response.
我不知道是否有更好的方法来执行此操作,但我收到以下响应的状态 403错误。 How can i troubleshoot this error and identify the problem with my signature?
我如何解决此错误并确定我的签名问题?
{
"message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."
} }
My Lambda function has IAM role ( ROLE_X ) with below permissions.我的 Lambda function 具有以下权限的 IAM 角色 ( ROLE_X )。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpPost",
"es:ESHttpPut",
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
} }
I am also allowing access to this role in my Elasticsearch domain by providing ROLE_X's arn as Custom Access Policy.通过提供ROLE_X 的arn 作为自定义访问策略,我还允许在我的 Elasticsearch 域中访问此角色。
Here is my lambda function written in NodeJS这是我用 NodeJS 编写的 lambda function
'use strict';
var AWS = require('aws-sdk');
var region = 'eu-central-1';
var domain = 'search-mydomain-XXXX.eu-central-1.es.amazonaws.com';
var index = 'images';
var type = 'image';
var credentials = new AWS.EnvironmentCredentials('AWS');
exports.handler = (event, context, callback) => {
var endpoint = new AWS.Endpoint(domain);
var request = new AWS.HttpRequest(endpoint, region);
request.headers['host'] = domain;
request.headers['Content-Type'] = 'application/json';
// Content-Length is only needed for DELETE requests that include a request
// body, but including it for all requests doesn't seem to hurt anything.
request.headers['Content-Length'] = Buffer.byteLength(request.body);
request.path += index + '/' + type + '/';
let count = 0;
event.Records.forEach((record) => {
const id = JSON.stringify(record.dynamodb.Keys.id.S);
request.path += id;
if (record.eventName == 'REMOVE') {
request.method = 'DELETE';
console.log('Deleting document');
}
else { // record.eventName == 'INSERT'
request.method = 'PUT';
request.body = JSON.stringify(record.dynamodb.NewImage);
console.log('Adding document' + request.body);
}
// Signing HTTP Requests to Elasticsearch Service
var signer = new AWS.Signers.V4(request, 'es');
signer.addAuthorization(credentials, new Date());
// Sending HTTP Request to Elasticsearch Service
var client = new AWS.HttpClient();
client.handleRequest(request, null, function(response) {
console.log('sending request to ES');
console.log(response.statusCode + ' ' + response.statusMessage);
var responseBody = '';
response.on('data', function(chunk) {
responseBody += chunk;
});
response.on('end', function(chunk) {
console.log('Response body: ' + responseBody);
});
}, function(error) {
console.log('ERROR: ' + error);
callback(error);
});
request.path = request.path.replace(id, "");
count += 1;
console.log("COUNT :" + count);
});
callback(null, `Successfully processed ${count} records.`);
};
You can use the http-aws-es library.您可以使用http-aws-es库。 It uses aws-sdk to handle the signing of requests before accessing your ES endpoint.
它使用 aws-sdk 在访问您的 ES 端点之前处理请求的签名。 You can try the following changes to your code using http-aws-es.
您可以尝试使用 http-aws-es 对您的代码进行以下更改。
var es = require('elasticsearch');
var AWS = require('aws-sdk');
AWS.config.update({
credentials: new AWS.EnvironmentCredentials('AWS'),
region: 'yy-region-1'
});
const client = es.Client({
hosts: ['https://xxxx.yy-region-1.es.amazonaws.com/'],
connectionClass: require('http-aws-es'),
awsConfig: new AWS.Config({region: 'yy-region-1'})
});
await client.search(....)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.