无法将 AWS Lambda 连接到 Elastic Search。 收到 403 错误
[英]Unable to connect AWS Lambda to Elastic Search. Getting a 403 error
问题描述
I am trying to load streaming Data into Amazon ES from Amazon Kinesis Data Streams as given in the tutorial: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-aws-integrations.html#es-aws-integrations-kinesis
我正在尝试将流数据从 Amazon Kinesis Data Streams 加载到 Amazon ES 中,如教程中所述: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-aws-integrations.html#es -aws-integrations-kinesis
As given in the tutorial, my lambda function is:如教程中所述,我的 lambda function 是:
import base64
import boto3
import json
import requests
from requests_aws4auth import AWS4Auth
region = 'us-east-1'
service = 'es'
credentials = boto3.Session().get_credentials()
awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token)
host = '' # the ES domain has been specified here
index = 'lambda-kine-index'
type = 'lambda-kine-type'
url = host + '/' + index + '/' + type + '/'
headers = { "Content-Type": "application/json" }
def handler(event, context):
count = 0
for record in event['Records']:
id = record['eventID']
timestamp = record['kinesis']['approximateArrivalTimestamp']
# Kinesis data is base64-encoded, so decode here
message = base64.b64decode(record['kinesis']['data'])
# Create the JSON document
document = { "id": id, "timestamp": timestamp, "message": message }
# Index the document
r = requests.put(url + id, auth=awsauth, json=document, headers=headers)
count += 1
return 'Processed ' + str(count) + ' items.'
Also, as given in the tutorial, the IAM Role is:此外,如教程中所述,IAM 角色是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpPost",
"es:ESHttpPut",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:DescribeStream",
"kinesis:ListStreams"
],
"Resource": "*"
}
]
}
and the Trust Relationship is:信任关系为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
After doing this, the response I get when I run the lambda is:这样做之后,我在运行 lambda 时得到的响应是:
<Response [403]>
Any help in resolving this is appreciated.解决此问题的任何帮助表示赞赏。
3 个解决方案
解决方案1
1 已采纳 2021-01-22 23:52:00
Credentials would only be applicable if you use an IAM user which isn't the case here as this is a Lambda function and it requires an IAM role.仅当您使用 IAM 用户时才适用,但此处并非如此,因为这是 Lambda function 并且它需要 IAM 角色。
What you might have is fine-grained access control enabled which doesn't work well with domain policies.您可能拥有的是启用了细粒度的访问控制,它不适用于域策略。
Read more here and notice the highlighted section re-user / IAM mixing and not working correctly. 在此处阅读更多内容并注意突出显示的部分 re-user / IAM 混合并且无法正常工作。
解决方案2
0 2020-12-16 18:11:05
解决方案3
0 2021-12-03 17:49:50
For those of you who are getting 403's and the above solution doesn't apply...对于那些获得 403 并且上述解决方案不适用的人......
If you are using granular permissions, you need to add your lambda execution role as a Backend role (configured in kibana).如果您使用细化权限,则需要将您的 lambda 执行角色添加为后端角色(在 kibana 中配置)。
In Kibana -> Security / Roles在 Kibana -> 安全/角色
- Add your role to "all_access" (or whatever role makes sense for your use case)将您的角色添加到“all_access”(或任何对您的用例有意义的角色)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.