stackoom
  简体   繁体   中英

Elasticsearch Service with Cognito — how to access via Python HTTP request

 原文  2021-01-08 04:35:46       python/ amazon-web-services/ elasticsearch

Question

I recently setup an Elasticsearch service and configured it to use Cognito for identify management. I followed this guide and so far everything is working exactly as expected. I'm able to add new users as expected, and they can access Kibana as expected.

However, I would also like to use Python to interact with the Elasticsearch service. I've following this guide , but I get permission errors about not having the right access.

from elasticsearch import Elasticsearch, RequestsHttpConnection
from requests_aws4auth import AWS4Auth
import boto3

host = 'hostname.us-east-2.es.amazonaws.com/'
region = 'us-east-2'
service = 'es'
credentials = boto3.Session().get_credentials()
awsauth = AWS4Auth(credentials.access_key, credentials.secret_key, region, service, session_token=credentials.token)

es = Elasticsearch(
    hosts = [{'host': host, 'port': 443}],
    http_auth = awsauth,
    use_ssl = True,
    verify_certs = True,
    connection_class = RequestsHttpConnection
)

print(es.info())

AuthorizationException: AuthorizationException(403, 'security_exception', 'no permissions for [indices:admin/get] and User [name=arn:aws:iam::12345678:user/username, backend_roles=[], requestedTenant=null]')

I'm not sure if the issue is related to the way that I have Conginto configured, or if it's related to the way that I'm submitting this request. Any help on figuring out where my issue might be would be greatly appreciated.

1 answers

solution1
 1 ACCPTED  2021-01-12 22:36:38

It happened to me too. There are two ways I found, you have to create an IAM user for both of them.

  • Open IAM console and give necessary policies to IAM user for reaching your elasticsearch domain (or I attached "AdministratorAccess" policy only (It gives all access of AWS)), then you should use credentials of this IAM account.
  • Or open kibana -> security -> roles -> click all_access role -> mapped_users -> manage_mapping. Then you should add arn of your IAM user to backend roles. You have to use this user's credentials not "boto3.Session().get_credentials()" on your code to connect ES. I suggest the second one if you are not familiar with IAM roles and policies.

您应该在 kibana 中转到此页面:

您可以使用此按钮为 IAM 用户创建凭证

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to send a large JSON file via python http request Run Python Scrapy script via HTTP request How to access the body of an http request Access Sharepoint via python using service principal How to create request body for Python Elasticsearch mSearch How to index in elasticsearch using post request in Python? How to send this http request in python? How to convert http request to Python? How to get the version number of the latest stable release of Python via single HTTP request? How to access datahug API via HTTP Authentication?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM