Clever Geek Handbook

AWS Elastisearch Access Policy for CodeBuild Integration Tests Using Hibernate Search Using ElasticSearch to Store Indexes

I want to run a CodeBuild project to run my integration tests. My application uses AWS ElasticSearch service as the Hibernate Search index store.

I added a policy to my ES domain that allows private ec2 instances to access the ES through a NAT gateway. Unfortunately I can't figure out the correct policy to allow CodeBuild to access ES. When I run the CodeBuild project, I get a 403 error when Hibernate tries to check for the existence of the index.

Caused by: org.hibernate.search.exception.SearchException:   HSEARCH400007: Elasticsearch request failed.
Request:
Operation: IndicesExists
URI:com.mycompany.myproject.model.tenant
Data:
null
Response:
=========
Status: 403
Error message: 403 Forbidden
Cluster name: null
Cluster status: null

I tried to configure the ES access policy to allow open access to the domain, then the tests run fine ("AWS": "*").

This is ES access policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::AWS_ACCOUNT_ID:role/CodeBuildRole-XXXXXXXX"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-1:AWS_ACOUNT_ID:domain/elastic-search-domain/*"      
  },
  {
    "Effect": "Allow",
    "Principal": {
       "AWS": "*"
    },
    "Action": "es:*",
    "Resource": "arn:aws:es:eu-west-1:AWS_ACCOUNT_ID:domain/elastic-search-domain/*",
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": "NAT_GW_IP"
      }
     }
   }
  ]
 }

I have also tried the following as a principal:

"arn:aws:sts::AWS_ACCOUNT_ID:assumed-role/CodeBuildRole-XXXXXXXXX/*"

"arn:aws:iam::AWS_ACCOUNT_ID:role/CodeBuildRole-XXXXXXXXX"

"arn:aws:iam::AWS_ACCOUNT_ID:root"

"arn:aws:iam::AWS_ACCOUNT_ID:user/MI_USER_ADMIN"

Any help would be much appreciated.

thank

+3


source to share


2 answers


Perhaps you need to sign your ES requests.

I'm not familiar with CodeBuild, but this is usually a rule of thumb: When using IAM roles to access Elasticsearch, your requests must be signed with that IAM role.



eg. For python, you should use a tool like this: https://github.com/DavidMuller/aws-requests-auth

More information: http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html

+1


source


I would like to expand on VME's answer more precisely.

To access ElasticSearch using a role, the request must be signed.

This solution is usually correct, but in my particular case it does not work as the queries on AWS ES are generated by Hibernate Search ElasticSearch. (Can we find another solution using AOP?)

I finally figured out a workaround for this problem. In the CodeBuild build spec I added the following steps:



  • Configuring the AWS CLI using a user with a policy that allows him to read and update the ES domain.
  • Read and save the current ES domain access policy
  • I am getting CodeBuild ec2 IP
  • Update access to ES domain policy to allow access from CodeBuild IP address
  • Wait until changes are applied (15 min aprox).
  • Run the test
  • Restore previous configuration

I don't really like this solution because domain policy updates are taking too long. This step is part of the CodePipeline for continuous integration and should not take more than 15 or 20 minutes to complete.

Any ideas on how to improve this?

+2


source






More articles:


All Articles