1

我有一个简单的代码,它在不同的 aws 帐户中对 Elastic Search 集群进行查询。这是代码

def get_es_client():
    sts_connection = boto3.client('sts')
    es_gamma_act = sts_connection.assume_role(
        RoleArn="arn:aws:iam::<HIDDEN>:role/SIP_Metrics_Cross_Account_Access",
        RoleSessionName="cross_acct_lambda"
    )

    access_key = es_gamma_act['Credentials']['AccessKeyId']
    secret_key = es_gamma_act['Credentials']['SecretAccessKey']
    session_token = es_gamma_act['Credentials']['SessionToken']

    aws_auth = AWS4Auth(access_key, secret_key, region, "es", session_token=session_token)
    return Elasticsearch(
        hosts=[{'host': es_host, 'port': 443}],
        http_auth=aws_auth,
        use_ssl=True,
        verify_certs=True,
        connection_class=RequestsHttpConnection,
        timeout=120
    )


def datetime_to_millis(date):
    return int(date.timestamp() * 1000)


def get_summary_count(es_client, start_date, end_date, summary_type=None, workflow=None):
    query = {
        "query": {
            "bool": {
                "filter": [
                    {"term": {"locale.keyword": "en-US"}},
                    {
                        "range": {
                            "indexedAt": {
                                "gte": datetime_to_millis(start_date),
                                "lt": datetime_to_millis(end_date)
                            }
                        }
                    }
                ]
            }
        }
    }

    print(json.dumps(query))

    count = es_client.count(query, "summary-news-index")
    return count['count']


def get_es_data():
    es_client = get_es_client()

    start_date = datetime(2021, 7, 1)
    end_date = datetime(2021, 7, 3)

    count = get_summary_count(es_client, start_date, end_date)
    print(count)


if __name__ == "__main__":
    get_es_data()

运行此程序时出现以下错误

elasticsearch.exceptions.AuthorizationException: AuthorizationException(403, '{"Message":"User: arn:aws:sts::<HIDDEN>:assumed-role/SIP_Metrics_Cross_Account_Access/cross_acct_lambda is not authorized to perform: es:ESHttpPost"}')

我正在使用 STS 在有权执行 ESHttpPost 的目标帐户(与 ES 相同的帐户)中担任角色。似乎我能够正确承担该角色,但即使我拥有 ESHttpPost 权限,我仍然会收到此错误。当我从 lambda 函数运行此代码时也会发生这种情况。

如果我在这里遗漏了什么,你能告诉我吗?感谢您的回复

PS 根据要求,附加到代入角色 arn:aws:iam:::role/SIP_Metrics_Cross_Account_Access 的 IAM 策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "es:*",
            "Resource": "*"
        }
    ]
}
4

0 回答 0