我想启动一个CodeBuild项目来运行我的集成测试。我的应用程序使用AWS ElasticSearch服务作为Hibernate Search索引存储。用于CodeBuild集成的AWS Elastisearch访问策略使用Hibernate搜索使用ElasticSearch进行索引存储搜索
我已经向我的ES域添加了一个策略,允许私有EC2实例通过NAT网关访问ES。不幸的是,我无法想出允许CodeBuild访问ES的正确策略。当我运行CodeBuild项目时,当Hibernate尝试检查索引存在时,我得到一个403错误。
Caused by: org.hibernate.search.exception.SearchException: HSEARCH400007: Elasticsearch request failed.
Request:
Operation: IndicesExists
URI:com.mycompany.myproject.model.tenant
Data:
null
Response:
=========
Status: 403
Error message: 403 Forbidden
Cluster name: null
Cluster status: null
我试图配置ES访问策略,以允许开放接入域,然后测试运行正常(“AWS”:“*”)。
这是ES访问策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_ID:role/CodeBuildRole-XXXXXXXX"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:AWS_ACOUNT_ID:domain/elastic-search-domain/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-1:AWS_ACCOUNT_ID:domain/elastic-search-domain/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "NAT_GW_IP"
}
}
}
]
}
为主要我也试过如下:
"arn:aws:sts::AWS_ACCOUNT_ID:assumed-role/CodeBuildRole-XXXXXXXXX/*"
"arn:aws:iam::AWS_ACCOUNT_ID:role/CodeBuildRole-XXXXXXXXX"
"arn:aws:iam::AWS_ACCOUNT_ID:root"
"arn:aws:iam::AWS_ACCOUNT_ID:user/MI_USER_ADMIN"
任何帮助将是非常赞赏。
谢谢
我们在Hibernate Search上取得了一些很好的进展:http://in.relation.to/2017/06/13/hibernate-search-5-8-0-Beta3/ – Sanne