搜索
搜索

修复“用户:匿名无权执行”

debugcn 发表于 Dev
8
Glines妈妈

我很难拥有一个AWS Lambda函数来连接到AWS ElasticSearch集群。

我有一个定义为以下内容的AWS Lambda函数:

resource "aws_lambda_function" "fun1" {
  function_name = "fun1"
  role = aws_iam_role.ia0.arn

  vpc_config {
    security_group_ids = local.security_group_ids
    subnet_ids         = local.subnet_ids
  }

  environment {
    variables = {
      ELASTICSEARCH_ENDPOINT = "https://${aws_elasticsearch_domain.es.endpoint}"
    }
  }
}

resource "aws_iam_role" "ia0" {
  name = "lambda-exec-role"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "lambda_logs" {
  role = aws_iam_role.ia0.id
  policy_arn = aws_iam_policy.lambda_logging.arn
}

data "aws_iam_policy" "AWSLambdaBasicExecutionRole" {
  arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}

resource "aws_iam_role_policy_attachment" "AWSLambdaBasicExecutionRole" {
  role = aws_iam_role.ia0.id
  policy_arn = data.aws_iam_policy.AWSLambdaBasicExecutionRole.arn
}

data "aws_iam_policy" "AWSLambdaVPCAccessExecutionRole" {
  arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
  role = aws_iam_role.ia0.id
  policy_arn = data.aws_iam_policy.AWSLambdaVPCAccessExecutionRole.arn
}

我的VPC定义如下:

locals {
    security_group_ids = [aws_security_group.sg0.id]
    subnet_ids         = [aws_subnet.private_a.id, aws_subnet.private_b.id]
}

resource "aws_vpc" "vpc0" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
}

resource "aws_subnet" "private_a" {
  vpc_id = aws_vpc.vpc0.id
  cidr_block = cidrsubnet(aws_vpc.vpc0.cidr_block, 2, 1)
  availability_zone = "eu-west-3a"
}

resource "aws_subnet" "private_b" {
  vpc_id = aws_vpc.vpc0.id
  cidr_block = cidrsubnet(aws_vpc.vpc0.cidr_block, 2, 2)
  availability_zone = "eu-west-3b"
}

resource "aws_security_group" "sg0" {
    vpc_id = aws_vpc.vpc0.id
}

最后,我的集群如下所示:

resource "aws_elasticsearch_domain" "es" {
  domain_name = "es"
  elasticsearch_version = "7.9"

  cluster_config {
    instance_count         = 2
    zone_awareness_enabled = true
    instance_type          = "t2.small.elasticsearch"
  }

  domain_endpoint_options {
    enforce_https = true
    tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
  }

  ebs_options {
    ebs_enabled = true
    volume_size = 10
  }

  vpc_options {
    security_group_ids = local.security_group_ids
    subnet_ids         = local.subnet_ids
  }
}

resource "aws_iam_role_policy" "rp0" {
  name   = "rp0"
  role   = aws_iam_role.ia0.id
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "es:*"
      ],
      "Resource": [
        "${aws_elasticsearch_domain.es.arn}",
        "${aws_elasticsearch_domain.es.arn}/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "${aws_subnet.private_a.cidr_block}",
            "${aws_subnet.private_b.cidr_block}"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeSubnets",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:CreateNetworkInterfacePermission",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
}

尽管如此,我仍然得到这个答案

Response
  { responseStatus = Status {statusCode = 403, statusMessage = "Forbidden"}
  , responseVersion = HTTP/1.1
  , responseHeaders =
        [("Date","xxx")
        ,("Content-Type","application/json")
        ,("Content-Length","72")
        ,("Connection","keep-alive")
        ,("x-amzn-RequestId","xxx")
        ,("Access-Control-Allow-Origin","*")
        ]
  , responseBody = "{\"Message\":\"User: anonymous is not authorized to perform: es:ESHttpPut\"}\"
  , responseCookieJar = CJ {expose = []}, responseClose' = ResponseClose
  }"

根据AWS文档,使用CIDR应该足够了,但实际上,缺少了一些东西。

在此先感谢您的帮助。

Balu vyamajala

您需要先进行请求签名,然后再进行http调用以告诉Elastic search来自谁的请求。我不知道您使用的是哪种编程语言,这是我们可以在NodeJ中执行的操作

对于简单的http调用

    let request = new (AWS as any).HttpRequest(endpoint, 'us-east-1');
    let credentials = new AWS.EnvironmentCredentials('AWS');
    let signers = new (AWS as any).Signers.V4(request, 'es');
    signers.addAuthorization(credentials, new Date());

如果您使用的是@ elastic / elasticsearch之类的软件包,则可以结合使用http-aws-es来创建一个创建签名的客户端,可能看起来像

let options = {
    hosts: [ yourHost ], 
    connectionClass: require('http-aws-es'), 
    awsConfig: new AWS.Config({ region: 'us-east-1', credentials: new AWS.EnvironmentCredentials('AWS') })
};
client = require('elasticsearch').Client(options);

本文收集自互联网,转载请注明来源。

如有侵权,请联系[email protected] 删除。

编辑于
0

我来说两句

0条评论
登录后参与评论

相关文章

来自分类Dev

在同一VPC上的Lambda和API网关导致用户:匿名无权执行:execute-api:在资源上调用

来自分类Dev

AWS API网关:用户:匿名无权执行:execute-api:在资源上调用:arn:aws:execute-api:

来自分类Dev

限制用户,使其无权执行任何操作

来自分类Dev

用户无权执行此操作。在图像表创建中

来自分类Dev

AWS eb创建失败-用户无权执行:自动缩放

来自分类Dev

lambda-用户无权执行:cognito-idp:ListUsers

来自分类Dev

用户无权执行:资源上的iam:CreatePolicy:策略AWSLambdaBasicExecutionRole?

来自分类Dev

无权与Cognito用户一起执行AssumeRoleWithWebIdentity

来自分类Dev

Api Gateway上的AWS资源策略:无权授权匿名显式拒绝对资源执行调用

来自分类Dev

如果匿名用户无权访问URL,如何将匿名用户重定向到自定义页面而不是登录页面?

来自分类Dev

MongoDB 3.2-管理员用户无权执行命令

来自分类Dev

Cloud Pub / Sub演示:403用户无权执行此操作。尝试推送通知时

来自分类Dev

EKS无法使用Kubectl向Kubernetes进行身份验证-“用户:无权执行:sts:AssumeRole”

来自分类Dev

AWS boto3用户:arn:aws:iam :: xxxx:root无权执行:资源的lambda:AddLayerVersionPermission

来自分类Dev

Glassfish 中批处理 OSGi 应用程序的授权问题 - “当前用户无权执行此操作”

来自分类Dev

Iam 用户无权执行:firehose:CreateDeliveryStream 对资源 xxxx 进行显式拒绝

来自分类Dev

AccessDenied:无权执行sts:AssumeRoleWithWebIdentity

来自分类Dev

Lambda无权执行:dynamodb:GetItem

来自分类Dev

代理角色无权编辑用户

来自分类Dev

在调用扫描操作时如何解决(AccessDeniedException):用户:arn:aws:sts ...无权执行:dynamodb:对资源进行扫描。

来自分类Dev

用户[X]无权访问用户[X:importSshPublicKey]

来自分类Dev

执行失败:您无权调用getProjectTriggers

来自分类Dev

ejabberd:AccessRules:帐户无权执行该操作

来自分类Dev

角色无权在KinesisStream上执行DescribeStream

来自分类Dev

Cognito凭据无权执行Execute API

来自分类Dev

Lambda无权执行:cognito-idp:AdminInitiateAuth

来自分类Dev

BE用户无权访问本地化

来自分类Dev

Google Drive 用户无权读取文件

来自分类Dev

匿名命名功能-执行

Related 相关文章

  1. 1

    在同一VPC上的Lambda和API网关导致用户:匿名无权执行:execute-api:在资源上调用

  2. 2

    AWS API网关:用户:匿名无权执行:execute-api:在资源上调用:arn:aws:execute-api:

  3. 3

    限制用户,使其无权执行任何操作

  4. 4

    用户无权执行此操作。在图像表创建中

  5. 5

    AWS eb创建失败-用户无权执行:自动缩放

  6. 6

    lambda-用户无权执行:cognito-idp:ListUsers

  7. 7

    用户无权执行:资源上的iam:CreatePolicy:策略AWSLambdaBasicExecutionRole?

  8. 8

    无权与Cognito用户一起执行AssumeRoleWithWebIdentity

  9. 9

    Api Gateway上的AWS资源策略:无权授权匿名显式拒绝对资源执行调用

  10. 10

    如果匿名用户无权访问URL,如何将匿名用户重定向到自定义页面而不是登录页面?

  11. 11

    MongoDB 3.2-管理员用户无权执行命令

  12. 12

    Cloud Pub / Sub演示:403用户无权执行此操作。尝试推送通知时

  13. 13

    EKS无法使用Kubectl向Kubernetes进行身份验证-“用户:无权执行:sts:AssumeRole”

  14. 14

    AWS boto3用户:arn:aws:iam :: xxxx:root无权执行:资源的lambda:AddLayerVersionPermission

  15. 15

    Glassfish 中批处理 OSGi 应用程序的授权问题 - “当前用户无权执行此操作”

  16. 16

    Iam 用户无权执行:firehose:CreateDeliveryStream 对资源 xxxx 进行显式拒绝

  17. 17

    AccessDenied:无权执行sts:AssumeRoleWithWebIdentity

  18. 18

    Lambda无权执行:dynamodb:GetItem

  19. 19

    代理角色无权编辑用户

  20. 20

    在调用扫描操作时如何解决(AccessDeniedException):用户:arn:aws:sts ...无权执行:dynamodb:对资源进行扫描。

  21. 21

    用户[X]无权访问用户[X:importSshPublicKey]

  22. 22

    执行失败:您无权调用getProjectTriggers

  23. 23

    ejabberd:AccessRules:帐户无权执行该操作

  24. 24

    角色无权在KinesisStream上执行DescribeStream

  25. 25

    Cognito凭据无权执行Execute API

  26. 26

    Lambda无权执行:cognito-idp:AdminInitiateAuth

  27. 27

    BE用户无权访问本地化

  28. 28

    Google Drive 用户无权读取文件

  29. 29

    匿名命名功能-执行

热门标签

归档