Menu
Following is a snippet from my serverless.yml file to create elasticsearch domain. If I comment AccessPolicies section, elasticsearch domain got created but it fails when I un-comment it. I want to give access to the resources of my AWS account to access elasticsearch service. Not sure what is wrong. When I explore in stackoverflow or google, I hit some results but are related to terraform.
Note: I use serverless-pseudo-parameters to refer to variables in serverless.yml.
EventsElasticsearchDomain:
Type: AWS::Elasticsearch::Domain
Properties:
ElasticsearchVersion: 7.4
DomainName: testevents
ElasticsearchClusterConfig:
InstanceCount: 1
InstanceType: m5.large.elasticsearch
ZoneAwarenessEnabled: false
EBSOptions: # its expected when we use m4 or m4 InstanceType
EBSEnabled: true
VolumeSize: 10
VolumeType: gp2
AccessPolicies:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: '#{AWS::AccountId}'
Action: 'es:ESHttp*'
Resource:
- arn:aws:es:#{AWS::Region}:#{AWS::AccountId}:domain/testevents/*
Error:
An error occurred: EventsElasticsearchDomain - Error setting policy:
[{"Version":"2012-10-17T00:00:00.000Z","Statement":[{"Action":"es:ESHttp*","Resource":["arn:aws:es:REGION:ACCNUMBER:domain/testevents/*"],"Effect":"Allow","Principal":{"AWS":"ACCNUMBER"}}]}]
(Service: AWSElasticsearch;
Status Code: 409; Error Code: InvalidTypeException; Request ID: xxxxxxxxxxx).
938
Well, found the culprit. Its me giving the version as date object rather than a string. Changing the Version: 2012-10-17 to Version: '2012-10-17' fixed the issue.
We can notice it in the error message: "Version":"2012-10-17T00:00:00.000Z". It shows value of Version as date string, not the string that I've sent.
114
You for got about !Sub and $ in your policy:
Resource:
- !Sub "arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/testevents/*"
The same for
Principal:
AWS: !Sub "${AWS::AccountId}"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
