stackoom
  简体   繁体   中英

Have issues access to ES with AWS request signing

 原文  2017-01-18 17:24:36       amazon-web-services/ elasticsearch/ go/ amazon-elasticsearch

Question

I am building a golang RESTful API and trying to access ES using signed requests. I have followed documentation on AWS the documentation of the Golang AWS elastic search client package I am using (olivere/elastic)

Following golang code is used to create a new client

signer := v4.NewSigner(credentials.NewStaticCredentials("IAM_USER_ID", "IAM_USER_SECRET", ""))
awsClient, err := aws_signing_client.New(signer, nil, "es", "us-east-1")
if err != nil {
    return nil, err
}
return elastic.NewClient(
    elastic.SetURL("https://my-aws-endpoint.us-east-1.es.amazonaws.com"),
    elastic.SetScheme("https"),
    elastic.SetHttpClient(awsClient),
    elastic.SetSniff(false), // See note below
)

In ElasticSearch AWS console, I have modified an access policy like that: 选定的访问策略模板 准入政策

Seems I am able to discover the ES node, but when I try to execute a query, ES return http status 403 – don't have permission.

I also have tried to grant IAM user with the AmazonESFullAccess policy but seems it doesn't have any effect.

2 answers

solution1
 0  2017-02-06 05:16:45

There appears to be an issue in the signing library. The following pull request fixed it. (not yet merged) https://github.com/sha1sum/aws_signing_client/pull/3

solution2
 0  2022-08-10 17:35:05

following code worked for me. es version is 7.10 

  import (
        "fmt"
        "log"
    
        "github.com/aws/aws-sdk-go/aws/credentials"
        "github.com/olivere/elastic/v7"
    
        aws "github.com/olivere/elastic/v7/aws/v4"
    )
    
    func main() {
        var (
            accessKey = "aws key"
            secretKey = "aws secret key"
            host      = "es url"
            region    = "es region"
        )
    
        creds := credentials.NewStaticCredentials(accessKey, secretKey, "")
        _, err := creds.Get()
    
        if err != nil {
            log.Fatal("Wrong credentials: ", err)
        }
    
        signingClient := aws.NewV4SigningClient(creds, region)
    
        // Create an Elasticsearch client
        client, err := elastic.NewClient(
            elastic.SetURL(host),
            elastic.SetSniff(false),
            elastic.SetHealthcheck(false),
            elastic.SetHttpClient(signingClient),
        )
    
        if err != nil {
            log.Fatal(err)
        }
    

        indices, err := client.IndexNames()
        fmt.Println(indices)
        if err != nil {
            log.Fatal(err)
        }
    
        // Just a status message
        fmt.Println("Connection succeeded")
    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS API Gateway - Issues in setting up cross-account access How to have both public access and private access in AWS s3? How to access HTTP headers for request to AWS API Gateway using Lambda? AWS CDK Deployment Issues AWS APIGW - Access static HTTP Headers for Integration Request in Mapping Template for Lambda How can I see the full HTTP request (headers, method, body) in my AWS REST API access logs? AWS Lambda from cross account ECR : Lambda does not have permission to access the ECR image AWS QuickSight programmatic access AWS Privileged Access Management? Unexpected latency issues AWS-API Gateway
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM