AWS SDK JavaScript - 我們計算的請求簽名與您提供的簽名不匹配

Question

我正在嘗試從我的 Lambda function 簽署我的 HTTP 請求，以訪問我的 Elasticsearch 端點，如此處所述。 我不知道是否有更好的方法來執行此操作，但我收到以下響應的狀態 403錯誤。 我如何解決此錯誤並確定我的簽名問題？

{
"message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."

}

我的 Lambda function 具有以下權限的 IAM 角色 ( ROLE_X )。

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "es:ESHttpPost",
            "es:ESHttpPut",
            "dynamodb:DescribeStream",
            "dynamodb:GetRecords",
            "dynamodb:GetShardIterator",
            "dynamodb:ListStreams",
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "*"
    }
]

}

通過提供ROLE_X 的arn 作為自定義訪問策略，我還允許在我的 Elasticsearch 域中訪問此角色。

這是我用 NodeJS 編寫的 lambda function

'use strict';
var AWS = require('aws-sdk');
var region = 'eu-central-1';
var domain = 'search-mydomain-XXXX.eu-central-1.es.amazonaws.com';
var index = 'images';
var type = 'image';
var credentials = new AWS.EnvironmentCredentials('AWS');

exports.handler = (event, context, callback) => {
    var endpoint = new AWS.Endpoint(domain);
    var request = new AWS.HttpRequest(endpoint, region);

    request.headers['host'] = domain;
    request.headers['Content-Type'] = 'application/json';
    // Content-Length is only needed for DELETE requests that include a request
    // body, but including it for all requests doesn't seem to hurt anything.
    request.headers['Content-Length'] = Buffer.byteLength(request.body);
    request.path += index + '/' + type + '/';
   
    let count = 0;
    event.Records.forEach((record) => {
        const id = JSON.stringify(record.dynamodb.Keys.id.S);
        request.path += id;
        if (record.eventName == 'REMOVE') {
            request.method = 'DELETE';
            console.log('Deleting document');
        }
        else { // record.eventName == 'INSERT'
            request.method = 'PUT';
            request.body = JSON.stringify(record.dynamodb.NewImage);
            console.log('Adding document' + request.body);
        }
        // Signing HTTP Requests to Elasticsearch Service
        var signer = new AWS.Signers.V4(request, 'es');
        signer.addAuthorization(credentials, new Date());
        
        // Sending HTTP Request to Elasticsearch Service
        var client = new AWS.HttpClient();
        client.handleRequest(request, null, function(response) {
            console.log('sending request to ES');
            console.log(response.statusCode + ' ' + response.statusMessage);
            var responseBody = '';
            response.on('data', function(chunk) {
                responseBody += chunk;
            });
            response.on('end', function(chunk) {
                console.log('Response body: ' + responseBody);
            });
        }, function(error) {
            console.log('ERROR: ' + error);
            callback(error);
        });
        request.path = request.path.replace(id, "");
        count += 1;
        console.log("COUNT :" + count);
    });
    
    callback(null, `Successfully processed ${count} records.`);
};

Answer 1

您可以使用http-aws-es庫。 它使用 aws-sdk 在訪問您的 ES 端點之前處理請求的簽名。 您可以嘗試使用 http-aws-es 對您的代碼進行以下更改。

var es = require('elasticsearch');
var AWS = require('aws-sdk');
    
AWS.config.update({
    credentials: new AWS.EnvironmentCredentials('AWS'),
    region: 'yy-region-1'
});
const client = es.Client({
    hosts: ['https://xxxx.yy-region-1.es.amazonaws.com/'],
    connectionClass: require('http-aws-es'),
    awsConfig: new AWS.Config({region: 'yy-region-1'})
});    

await client.search(....)