Amazon web services AWS Kinesis Firehose未向Elasticsearch发送数据…IAM权限?
所以,我已经准备好了一切,除了最后一步,即从消防水带向Elasticsearch发送数据外,一切正常 这是我在Kinesis Firehose Elasticsearch服务日志中发现的错误:Amazon web services AWS Kinesis Firehose未向Elasticsearch发送数据…IAM权限?,amazon-web-services,amazon-iam,amazon-kinesis,amazon-kinesis-firehose,
amazon-elasticsearch,Amazon Web Services,Amazon Iam,Amazon Kinesis,Amazon Kinesis Firehose,
amazon Elasticsearch,所以,我已经准备好了一切,除了最后一步,即从消防水带向Elasticsearch发送数据外,一切正常 这是我在Kinesis Firehose Elasticsearch服务日志中发现的错误: Error received from Elasticsearch cluster. {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] an
Error received from Elasticsearch cluster. {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/write/bulk] and User [name=arn:aws:iam::917877325894:role/firehose_delivery_role, backend_roles=[arn:aws:iam::917877325894:role/firehose_delivery_role], requestedTenant=null]"},"status":403}
这是我附加的IAM政策(由Firehose自己制定)
我尝试添加所有不同的策略,但无法使其正常工作,并且不断收到相同的错误消息
有什么建议吗?我刚刚遇到了同样的问题。我的问题是,我不小心将消防软管ARN分配给ES角色映射,而不是IAM ARN 弹性搜索>安全性>消防软管\u交付\u角色>映射用户>后端角色>{{这需要是IAM消防软管ARN,而不是消防软管ARN itselt} 不正确:arn:aws:firehose:us-east-1:0000000 12345:deliverystream/workshop firehose 正确:arn:aws:iam::0000000 12345:角色/服务角色/KinesisFirehoseServiceRole-workshop-fire-us-east-1-1609335111111 在发现错误之前,我还尝试将[index:data/write/bulk]和[index:data/write/bulk*]添加到ES角色的集群和索引权限中。。。但这没有帮助
希望这有助于解决类似问题的其他人。IAM政策与什么有关?ES域或某个角色?附加到Kinesis Firehosear您确定您的ES域被称为
测试发电机B
?另外,ES域的策略是什么?@Marcin yes它被称为test dynamodb。策略是{“版本”:“2012-10-17”,“声明”:[{“效果”:“允许”,“主体”:{“AWS”:[“”]},“操作”:[“es:”],“资源”:“arn:AWS:es:us-west-2:917877325894:domain/test-dynamodb2/*”}这个策略是自动生成的吗?通常对于es:
您将拥有es:
。原则上类似。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test-kinesis-backup-mydna",
"arn:aws:s3:::test-kinesis-backup-mydna/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": "arn:aws:lambda:us-west-2:917877325894:function:%FIREHOSE_DEFAULT_FUNCTION%:%FIREHOSE_DEFAULT_VERSION%"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"es:DescribeElasticsearchDomain",
"es:DescribeElasticsearchDomains",
"es:DescribeElasticsearchDomainConfig",
"es:ESHttpPost",
"es:ESHttpPut"
],
"Resource": [
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"es:ESHttpGet"
],
"Resource": [
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_all/_settings",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_cluster/stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_mapping/",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_nodes/*/stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/_stats",
"arn:aws:es:us-west-2:917877325894:domain/test-dynamodb/test_dynamodb*/_stats"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-west-2:917877325894:log-group:/aws/kinesisfirehose/test_dynamodb:log-stream:*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": "arn:aws:kinesis:us-west-2:917877325894:stream/%FIREHOSE_STREAM_NAME%"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-west-2:917877325894:key/%SSE_KEY_ID%"
],
"Condition": {
"StringEquals": {
"kms:ViaService": "kinesis.%REGION_NAME%.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:kinesis:arn": "arn:aws:kinesis:%REGION_NAME%:917877325894:stream/%FIREHOSE_STREAM_NAME%"
}
}
}
]
}