amazon-elasticsearch,Amazon Web Services,Amazon Iam,Amazon Kinesis,Amazon Kinesis Firehose,amazon Elasticsearch" /> amazon-elasticsearch,Amazon Web Services,Amazon Iam,Amazon Kinesis,Amazon Kinesis Firehose,amazon Elasticsearch" />
Fatal编程技术网
  • amazon-web-services/
  • Amazon web services AWS Kinesis Firehose未向Elasticsearch发送数据…IAM权限?

Amazon web services AWS Kinesis Firehose未向Elasticsearch发送数据…IAM权限?

amazon-web-services

Amazon web services AWS Kinesis Firehose未向Elasticsearch发送数据…IAM权限?,amazon-web-services,amazon-iam,amazon-kinesis,amazon-kinesis-firehose,amazon-elasticsearch,Amazon Web Services,Amazon Iam,Amazon Kinesis,Amazon Kinesis Firehose,amazon Elasticsearch,所以,我已经准备好了一切,除了最后一步,即从消防水带向Elasticsearch发送数据外,一切正常 这是我在Kinesis Firehose Elasticsearch服务日志中发现的错误: Error received from Elasticsearch cluster. {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] an

所以,我已经准备好了一切,除了最后一步,即从消防水带向Elasticsearch发送数据外,一切正常

这是我在Kinesis Firehose Elasticsearch服务日志中发现的错误:

Error received from Elasticsearch cluster. {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"},"status":403}
这是我附加的IAM政策(由Firehose自己制定)

我尝试添加所有不同的策略,但无法使其正常工作,并且不断收到相同的错误消息

有什么建议吗?

我刚刚遇到了同样的问题。我的问题是,我不小心将消防软管ARN分配给ES角色映射,而不是IAM ARN

弹性搜索>安全性>消防软管\u交付\u角色>映射用户>后端角色>{{这需要是IAM消防软管ARN,而不是消防软管ARN itselt}

不正确:arn:aws:firehose:us-east-1:0000000 12345:deliverystream/workshop firehose

正确:arn:aws:iam::0000000 12345:角色/服务角色/KinesisFirehoseServiceRole-workshop-fire-us-east-1-1609335111111

在发现错误之前,我还尝试将[index:data/write/bulk]和[index:data/write/bulk*]添加到ES角色的集群和索引权限中。。。但这没有帮助

希望这有助于解决类似问题的其他人。

IAM政策与什么有关?ES域或某个角色?附加到Kinesis Firehosear您确定您的ES域被称为
测试发电机B
?另外,ES域的策略是什么?@Marcin yes它被称为test dynamodb。策略是{“版本”:“2012-10-17”,“声明”:[{“效果”:“允许”,“主体”:{“AWS”:[“”]},“操作”:[“es:”],“资源”:“arn:AWS:es:us-west-2:917877325894:domain/test-dynamodb2/*”}这个策略是自动生成的吗?通常对于
es:
您将拥有
es:
。原则上类似。 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateNetworkInterface",
                "ec2:CreateNetworkInterfacePermission",
                "ec2:DeleteNetworkInterface"
            ],
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::test-kinesis-backup-mydna",
                "arn:aws:s3:::test-kinesis-backup-mydna/*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:GetFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:us-west-2:917877325894:function:%FIREHOSE_DEFAULT_FUNCTION%:%FIREHOSE_DEFAULT_VERSION%"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "es:DescribeElasticsearchDomain",
                "es:DescribeElasticsearchDomains",
                "es:DescribeElasticsearchDomainConfig",
                "es:ESHttpPost",
                "es:ESHttpPut"
            ],
            "Resource": [
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "es:ESHttpGet"
            ],
            "Resource": [
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_all/_settings",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_cluster/stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_mapping/",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/*/stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_stats",
                "arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_stats"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-west-2:917877325894:log-group:/aws/kinesisfirehose/test_dynamodb:log-stream:*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "kinesis:DescribeStream",
                "kinesis:GetShardIterator",
                "kinesis:GetRecords",
                "kinesis:ListShards"
            ],
            "Resource": "arn:aws:kinesis:us-west-2:917877325894:stream/%FIREHOSE_STREAM_NAME%"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:us-west-2:917877325894:key/%SSE_KEY_ID%"
            ],
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "kinesis.%REGION_NAME%.amazonaws.com"
                },
                "StringLike": {
                    "kms:EncryptionContext:aws:kinesis:arn": "arn:aws:kinesis:%REGION_NAME%:917877325894:stream/%FIREHOSE_STREAM_NAME%"
                }
            }
        }
    ]
}