1

我正在尝试使用elasticdump从 AWS Elasticsearch Service 复制索引:

elasticdump --input=https://xxx.xx-xxx-x.es.amazonaws.com/my_index --output=my_index.json

政策的相关部分:

...
  "Action": "es:*",
  "Resource": [
    "arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster/*",
    "arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster",
    "arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster/_search/scroll"
  ]
...

在 100 个对象之后,我得到:

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:xx-xxx-x:XXXXXXXX:domain/escluster/_search/scroll"}

为什么 AWS 阻止我滚动?

4

1 回答 1

0

您可能需要为将访问 ES 的机器添加 IP 以进行转储我有类似的问题并添加 IP 解决了我的问题我的策略是这样的:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<AWSACCOUNT>:root"
    },
    "Action": "es:*",
    "Resource": "arn:aws:es:us-west-1:<AWSACCOUNT>:domain/<domain>/*"
  },
  {
    "Effect": "Allow",
    "Principal": {
      "AWS": "*"
    },
    "Action": "*",
    "Resource": [
           "arn:aws:es:<AWSACCOUNT>:domain/<domain>/*",
           "arn:aws:es:<AWSACCOUNT>:domain/<domain>/_search/scroll"
           ],
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": [
          <IP1>,
          <IP2>,
          <...>
        ]
      }
    }
  }
 ]
}

也许您需要在命令行中设置端口

于 2016-06-16T06:54:05.017 回答