我正在努力ElasticSearch在AWS. 我的目标是只允许从我的Lambda函数到ElasticSearch实例的 http 请求。我创建了一项策略,它提供了 'Lambda access to theElasticSearch instance. The part I'm struggling with is the inline resource policy forElasticSearch that will deny all other request that aren't from the 'Lambda。
我已经尝试将ElasticSearch资源策略设置为Deny所有请求,然后给我Lambda一个可以访问的角色ElasticSearch.虽然Lambda正在使用该角色,但我正在使用axios和aws4签署我的 http 请求,但请求被拒绝,The request signature we calculated does not match the signature you provided.我认为问题不是实际签署请求,而不是我创建的策略。如果有人能引导我朝着正确的方向前进,那真的很有帮助。
Lambda Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:CreateElasticsearchDomain",
"es:DescribeElasticsearchDomainConfig",
"es:ListTags",
"es:ESHttpDelete",
"es:GetUpgradeHistory",
"es:AddTags",
"es:ESHttpHead",
"es:RemoveTags",
"es:DeleteElasticsearchDomain",
"es:DescribeElasticsearchDomain",
"es:UpgradeElasticsearchDomain",
"es:ESHttpPost",
"es:UpdateElasticsearchDomainConfig",
"es:GetUpgradeStatus",
"es:ESHttpPut"
],
"Resource": "arn:aws:es:us-east-1:,accountid>:domain/<es-instance>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"es:PurchaseReservedElasticsearchInstance",
"es:DeleteElasticsearchServiceRole"
],
"Resource": "*"
}
]
}
ElasticSearch Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"es:*"
],
"Resource": "arn:aws:es:us-east-1:<account-number>:domain/<es-instance>/*"
}
]
}
Lambda Code Using Aws4 and Axios
//process.env.HOST = search-<es-instance>-<es-id>.us-east-1.es.amazonaws.com
function createRecipesIndex(url, resolve, reject){
axios(aws4.sign({
host: process.env.HOST,
method: "PUT",
url: "https://" + process.env.HOST,
path: '/recipes/',
}))
.then(response => {
console.log("----- SUCCESS INDEX CREATED -----");
resolve();
})
.catch(error => {
console.log("----- FAILED TO CREATE INDEX -----");
console.log(error);
reject();
});
}
注意:我尝试使用ElasticSearch设置为允许 *(all) 的内联策略创建索引并删除aws4库签名,它工作正常。现在我只想保护对这个资源的访问。