我想启动一个 CodeBuild 项目来运行我的集成测试。我的应用程序使用 AWS ElasticSearch Service 作为 Hibernate Search 索引存储。
我在我的 ES 域中添加了一个策略,允许私有 ec2 实例通过 NAT 网关访问 ES。不幸的是,我想不出允许 CodeBuild 访问 ES 的正确策略。当我运行 CodeBuild 项目时,当 Hibernate 尝试检查索引是否存在时出现 403 错误。
Caused by: org.hibernate.search.exception.SearchException: HSEARCH400007: Elasticsearch request failed.
Request:
Operation: IndicesExists
URI:com.mycompany.myproject.model.tenant
Data:
null
Response:
=========
Status: 403
Error message: 403 Forbidden
Cluster name: null
Cluster status: null
我尝试配置 ES 访问策略以允许对域进行开放访问,然后测试运行正常(“AWS”:“*”)。
这是 ES 访问策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_ID:role/CodeBuildRole-XXXXXXXX"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:AWS_ACOUNT_ID:domain/elastic-search-domain/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:AWS_ACCOUNT_ID:domain/elastic-search-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "NAT_GW_IP"
}
}
}
]
}
作为校长,我还尝试了以下方法:
"arn:aws:sts::AWS_ACCOUNT_ID:assumed-role/CodeBuildRole-XXXXXXXXX/*"
"arn:aws:iam::AWS_ACCOUNT_ID:role/CodeBuildRole-XXXXXXXXX"
"arn:aws:iam::AWS_ACCOUNT_ID:root"
"arn:aws:iam::AWS_ACCOUNT_ID:user/MI_USER_ADMIN"
任何帮助将不胜感激。
谢谢