我有一個 AWS 托管的 Elasticsearch 實體(舊的“OpenSearch”之前的變體)。我想為 S3 啟用快照備份,但我似乎無法獲得正確的權限。
我正在嘗試使用實體角色,而不是特定的用戶憑據。我已經嘗試遵循本指南以及其他一些非常相似的指南。
我有一個角色: arn:aws:iam::MYACCOUNTID:role/ QA-elasticsearch-instance-role。該角色具有以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListS3BackupBucket",
"Action": [
"iam:PassRole",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::MYACCOUNTID:role/QA-elasticsearch-instance-role",
"arn:aws:s3:::qa-mycompanyname-elasticsearch-backups"
]
},
{
"Sid": "AllowBackupStorage",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::qa-mycompanyname-elasticsearch-backups/*"
]
},
{
"Sid": "AllowElasticSearchPost",
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:us-east-1:MYACCOUNTID:domain/qa-elasticsearch"
}
]
}
此角色還具有以下信任關系:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我有以下 python 腳本來嘗試創建快照存盤庫:
import boto3
import requests
from requests_aws4auth import AWS4Auth
host = 'https://MYELASTICSEARCHENDPOINT.us-east-1.es.amazonaws.com/'
region = 'us-east-1' # For example, us-west-1
service = 'es'
credentials = boto3.Session().get_credentials()
awsauth = AWS4Auth("MYACCESSKEY", "MYSECRETKEY", region, service)
# Register repository
path = '_snapshot/qa_snapshot_repository' # the Elasticsearch API endpoint
url = host path
payload = {
"type": "s3",
"settings": {
"bucket": "qa-MYCOMPANYNAME-elasticsearch-backups",
"region": "us-east-1",
"role_arn": "arn:aws:iam::MYACCOUNTID:role/QA-elasticsearch-instance-role"
}
}
headers = {"Content-Type": "application/json"}
r = requests.put(url, auth=awsauth, json=payload, headers=headers)
print(r.status_code)
print(r.text)
當我運行它時, ( python3 elasticsearch_test.py | jq .) 我得到以下資訊:
{
"error": {
"root_cause": [
{
"type": "repository_verification_exception",
"reason": "[qa_snapshot_repository] path is not accessible on master node"
}
],
"type": "repository_verification_exception",
"reason": "[qa_snapshot_repository] path is not accessible on master node",
"caused_by": {
"type": "i_o_exception",
"reason": "Unable to upload object [tests-4-VcUFXhTcW4PQ6fi6AiVA/master.dat] using a single upload",
"caused_by": {
"type": "amazon_s3_exception",
"reason": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: RJKPNBBEQQBNWHWT; S3 Extended Request ID: 3O5AqSkKhsCNlmYLCtcfnE0omhp6wdbPCejJ2r4dNJq93l2xppSs4Hv6uTGvNIJ2jFWLt31gsyc=)"
}
}
},
"status": 500
}
我一直在谷歌上搜索并嘗試調整權限幾個小時,但似乎無法正確處理。有什么明顯的我遺漏了嗎?
uj5u.com熱心網友回復:
所以事實證明錯誤回應非常具有誤導性。這并不是真正的“拒絕訪問”問題,而是由于客戶端和服務器之間的加密不當,對 S3 的請求被拒絕了。在這篇文章之后,我決定嘗試添加"server_side_encryption": "true",一切正常。
payload = {
"type": "s3",
"settings": {
"bucket": "qa-mycompanyname-elasticsearch-backups",
"region": "us-east-1",
"role_arn": "arn:aws:iam::myaccountid:role/QA-elasticsearch-instance-role",
"server_side_encryption": "true"
}
}
200
{
"acknowledged": true
}
我沒有正確的解釋為什么這有效。我猜它告訴 Elasticsearch 實體上的客戶端使用httpsURL 與 S3 而不是 進行通信http,但似乎很瘋狂,http 將是默認值,或者不會有更好的錯誤訊息回傳。
轉載請註明出處,本文鏈接:https://www.uj5u.com/net/343279.html