我最近开始使用新的亚马逊Elasticsearch服务，我似乎无法找出我需要让我只能从具有分配给他们一个特定的IAM角色我的EC2实例访问该服务的访问策略。

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned to them.

下面是我目前已经分配给ES域的访问策略的一个例子：

Here's an example of the access policy I currently have assigned for the ES domain:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::[ACCOUNT_ID]:role/my_es_role",
        ]
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/*"
    }
  ]
}

但正如我所说，这是行不通的。我登录到EC2实例（其中有连接到它的 my_es_role 角色），并尝试运行在HTTPS一个简单的卷曲电话：//*.es.amazonaws。 COM的终点，我得到以下错误：

But as I said, this doesn't work. I log into the EC2 instance (which has the my_es_role role attached to it) and attempt to run a simple curl call on the "https://*.es.amazonaws.com" end point, I get the following error:

{消息：网友：匿名无权执行：ES：ESHttpGet资源：ARN：AWS：ES：美东1：ACCOUNT_ID]：域/ [ES_DOMAIN] /}

{"Message":"User: anonymous is not authorized to perform: es:ESHttpGet on resource: arn:aws:es:us-east-1:[ACCOUNT_ID]:domain/[ES_DOMAIN]/"}

有谁知道我在访问策略来更改为了这个工作？

Does anyone know what I have to change in the access policy in order for this to work?

推荐答案

据AWS doc和你（我）只是测试，你不能限制访问的AWS ES域角色/账号/用户/ ..以及蜷了！

According to AWS doc and as you (and I) just tested, you cannot restrict access to an AWS ES domain to a role/account/user/... and simply cURL it!

标准客户端，如卷曲，无法执行所需的基于身份的访问策略请求签名。您必须使用一个基于IP地址的访问策略，允许匿名访问成功地执行说明此步骤。   （http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg-search.html)

Standard clients, such as curl, cannot perform the request signing that is required of identity-based access policies. You must use an IP address-based access policy that allows anonymous access to successfully perform the instructions for this step. (http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-gsg-search.html)

所以，你有两种基本的解决方案：

So you have basically two solutions:

更改您的访问策略，并将其限制为IP（S），我认为你不能使用私有IP，因为你的ES集群似乎并不属于你的VPC（默认与否）。请使用公共IP 登入您的要求：http://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-managedomains.html#es-managedomains-signing-service-requests

登录你的要求可能是最好的解决办法，如果你想保持你的访问策略的是（这比限制一个IP更灵活的），但它似乎更复杂一点。我还没有试过这么远，我无法找到任何文档提供帮助。

Signing your request is probably the best solution if you want to keep your access policy as is (which is more flexible than restricting to an IP), but it seems to be a bit more complex. I haven't tried so far and I cannot find any doc to help.