amazon-web-services - AWS :在另一个 AWS 账户上创建 Elastic Search 的 Cloud Watch 日志组订阅者
问题描述
我有两个 AWS 账户,一个 AWS 账户“A”包含 Cloud Watch,其中包含数据流(之前我创建了订阅者以使用 AWS 控制台将日志发送到同一账户中的 Elastic Search 实例,它工作得很好)所以我删除了以前的订阅者并为账户 B(使用账户 B ARN 和域)创建了一个当我尝试流式传输日志时,我在转发日志的 Lambda 中遇到以下错误:
{
"errorType": "Error",
"errorMessage": "{\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
"stack": [
"Error: {\"statusCode\":403,\"responseBody\":{\"Message\":\"User: arn:aws:sts::<account A id>:assumed-role/lambda_elasticsearch_execution/LogsToElasticsearchEx_cloud-watch-elasticsearch is not authorized to perform: es:ESHttpPost\"}}",
" at _homogeneousError (/var/runtime/CallbackContext.js:13:12)",
" at postError (/var/runtime/CallbackContext.js:30:51)",
" at done (/var/runtime/CallbackContext.js:57:7)",
" at fail (/var/runtime/CallbackContext.js:69:7)",
" at Object.fail (/var/runtime/CallbackContext.js:105:16)",
" at /var/task/index.js:42:25",
" at IncomingMessage.<anonymous> (/var/task/index.js:176:13)",
" at IncomingMessage.emit (events.js:203:15)",
" at endReadableNT (_stream_readable.js:1145:12)",
" at process._tickCallback (internal/process/next_tick.js:63:19)"
]
}
我有以下 IAM 角色:
帐户 A lambda 角色
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:*:<account B id>:*"
}
]
}
账户 B 角色(有信任关系):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:CreateLogGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "es:ESHttpPost",
"Resource": "*"
}
]
}
Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account A id>:role/lambda_elasticsearch_execution"
},
"Action": "sts:AssumeRole"
}
]
}
我按照下面的指南进行操作,但仍然在相同的错误中运行
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam -角色/
有人知道我缺少什么吗?
提前感谢!
解决方案
我有同样的问题......要解决这个问题并不像你想象的那么难。让我们开始帐户 A(编号 1234567890)在 cloudwatch 中的日志组。账户 B(编号 0987654321)包含正在运行的弹性搜索 (ES)。帐户 A 正在运行 lambda 或使用角色名称 (SentCloudwatchToES)。这是起点。现在转到账户 B,打开 ES 的策略。这是您在创建 ES 堆栈期间创建的策略。您可以通过AWS中的ES部分找到它!(转到 AWS 中的 ES,单击域,单击操作,修改访问策略)编辑策略,包含以下部分:
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:role/service-role/SentCloudwatchToES",
]
},
"Action": "es:*",
"Resource": "arn:aws:es:<YOUR-REGION>:0987654321:domain/<YOUR-ES-DOMIAN>/*"
}
保护它,并等待几分钟,以便 AWS 可以在 ES 中处理策略。现在设置/配置从账户 A 到账户 B 到 ES 的日志流。