时间戳

首页 > 解决方案 > AWS :在另一个 AWS 账户上创建 Elastic Search 的 Cloud Watch 日志组订阅者

amazon-web-services - AWS :在另一个 AWS 账户上创建 Elastic Search 的 Cloud Watch 日志组订阅者

问题描述

我有两个 AWS 账户,一个 AWS 账户“A”包含 Cloud Watch,其中包含数据流(之前我创建了订阅者以使用 AWS 控制台将日志发送到同一账户中的 Elastic Search 实例,它工作得很好)所以我删除了以前的订阅者并为账户 B(使用账户 B ARN 和域)创建了一个当我尝试流式传输日志时,我在转发日志的 Lambda 中遇到以下错误:

{
    "errorType": "Error",
    "errorMessage": "{\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
    "stack": [
        "Error: {\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
        "    at _homogeneousError (/var/runtime/CallbackContext.js:13:12)",
        "    at postError (/var/runtime/CallbackContext.js:30:51)",
        "    at done (/var/runtime/CallbackContext.js:57:7)",
        "    at fail (/var/runtime/CallbackContext.js:69:7)",
        "    at Object.fail (/var/runtime/CallbackContext.js:105:16)",
        "    at /var/task/index.js:42:25",
        "    at IncomingMessage.<anonymous> (/var/task/index.js:176:13)",
        "    at IncomingMessage.emit (events.js:203:15)",
        "    at endReadableNT (_stream_readable.js:1145:12)",
        "    at process._tickCallback (internal/process/next_tick.js:63:19)"
    ]
}

我有以下 IAM 角色:

帐户 A lambda 角色

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "es:ESHttpPost",
            "Resource": "arn:aws:es:*:<account B id>:*"
        }
    ]
}

账户 B 角色(有信任关系):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:CreateLogGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "es:ESHttpPost",
            "Resource": "*"
        }
    ]
}

Trust relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<account A id>:role/lambda_elasticsearch_execution"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我按照下面的指南进行操作,但仍然在相同的错误中运行

https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam -角色/

有人知道我缺少什么吗?

提前感谢!

标签: amazon-web-servicesaws-lambdaamazon-iamamazon-cloudwatchaws-elasticsearch

解决方案

我有同样的问题......要解决这个问题并不像你想象的那么难。让我们开始帐户 A(编号 1234567890)在 cloudwatch 中的日志组。账户 B(编号 0987654321)包含正在运行的弹性搜索 (ES)。帐户 A 正在运行 lambda 或使用角色名称 (SentCloudwatchToES)。这是起点。现在转到账户 B,打开 ES 的策略。这是您在创建 ES 堆栈期间创建的策略。您可以通过AWS中的ES部分找到它!(转到 AWS 中的 ES,单击域,单击操作,修改访问策略)编辑策略,包含以下部分:

   {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:role/service-role/SentCloudwatchToES",
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:<YOUR-REGION>:0987654321:domain/<YOUR-ES-DOMIAN>/*"
    }

保护它,并等待几分钟,以便 AWS 可以在 ES 中处理策略。现在设置/配置从账户 A 到账户 B 到 ES 的日志流。

推荐阅读