我想锁定我的AWS Elasticsearch实例,以便只允许我指定的用户更新"索引(通常带有/_bulk请求,但也删除和创建索引),任何人都可以搜索"索引(带有/_search请求)。
这是我认为可行的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::$myRootID:user/$myUserName"
},
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:us-west-2:$myRootID:domain/myDomainName/*"
},
{
"Sid": "AllowAnonymousHTTPGET",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:ESHttpPost",
"Resource": "arn:aws:es:us-west-2:$myRootID:domain/$myDomainName/_search"
}
]
}
但它似乎不起作用。我还需要POST,因为我无法在我的案例中发送一个GET请求的正文。
我得到的错误:
User: arn:aws:iam::$myRootID:user/$myUserName is not authorized to perform: es:ESHttpPost on resource: $myDomainName