我在帳戶「A」中擁有AWS ElasticSearch羣集。AWS ElasticSearch從帳戶「B」中的lambda寫入帳戶「A」
我試圖創建一個賬戶「B」中的賬戶「A」中寫入ES的lambda(由DynamoDB流觸發)。
,我發現了以下錯誤:
{
"Message":"User: arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES is not authorized to perform: es:ESHttpPost on resource: beta-na-lifeguard"
}
我試圖把STS以及作用到ES訪問策略(內帳戶「A」),沒有運氣。以下是我的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:user/beta-elasticsearch-admin"
},
"Action": "es:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountA:user/beta-elasticsearch-readwrite",
"arn:aws:iam::AccountA:role/beta-na-DynamoDBStreamLambdaElasticSearch",
"arn:aws:sts::AccountB:assumed-role/lambdaRole1/sourceTableToES",
"arn:aws:iam::AccountB:role/service-role/lambdaRole1"
]
},
"Action": [
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": "*"
}
]
}
感謝約翰,這讓我走上了正確的軌道 – jhilden