将数据从一个 Amazon OpenSearch domain 迁移到另一个 domian(跨账户 or 跨区域)。
流程:
- 创建目标集群
- 创建或者选择一个现有S3桶,并将该桶作为源集群和目标集群的快照存储库 (快照存储库为ES本身的概念,快照存储库存放着快照,也可以使用本地FS,HDFS,S3等对象存储服务为存储介质)
- 在源集群创建手动快照
- 使用创建的索引快照在目标集群中进行恢复
解决步骤:
1 在B账户创建目标集群
保持和源集群一样的配置
2 A集群注册快照存储库
2.1 在A账户中创建S3桶
2.2 IAM 权限配置
A账户中创建IAM Role以及attach IAM Policy
Trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Permissions policies for S3:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws-cn:s3:::A-bucket"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws-cn:s3:::A-bucket/*"
]
}
]
}
Permissions policies for AOS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws-cn:iam::A账户:role/A-aos-thesnapshotrole"
},
{
"Effect": "Allow",
"Action": "es:ESHttpPut",
"Resource": "arn:aws-cn:es:cn-north-1:A账户:domain/A-es/*"
}
]
}
2.3 注册快照存储库
在Kibana中map IAM User到内部数据库中的role all_access中
注册存储库
PUT https://search-XXXXX.cn-north-1.es.amazonaws.com.cn/_snapshot/hyy-repo
{
"type": "s3",
"settings": {
"bucket": "A-test",
"base_path": "Aessnapshot",
"region": "cn-north-1",
"role_arn": "arn:aws-cn:iam::A账户:role/A-aos-thesnapshotrole"
}
}
查看存储库
GET _snapshot/_all?pretty
{
"cs-automated-enc" : {
"type" : "s3"
},
"repo" : {
"type" : "s3",
"settings" : {
"bucket" : "A-test",
"base_path" : "Aessnapshot",
"region" : "cn-north-1",
"role_arn" : "arn:aws-cn:iam::A账户:role/A-aos-thesnapshotrole"
}
}
}
3 在源集群创建手动快照
在Kibana的Dev Tools里面运行如下命令:
PUT /_snapshot/hyy-repo(存储库名称)/yuyang-20250613(快照名称)
{
"accepted" : true
}
检查快照是否创建成功
GET _cat/snapshots/hyy-repo
yuyang-20250528 SUCCESS 1748437898 13:11:38 1748437909 13:11:49 10.6s 56 138 0 138
yuyang-20250613 SUCCESS 1749796460 06:34:20 1749796468 06:34:28 8.6s 56 138 0 138
# 如下命令可查看更详细的信息
GET /_snapshot/hyy-repo/_all?pretty
4 B集群注册快照存储库
参考2.2节的IAM权限配置,在B账户下创建IAM Role以及attch IAM Policy。
修改A账户下的S3桶policy,给B账户的Role跨账户写的权限
{
"Version": "2012-10-17",
"Statement":
{
"Sid": "Permission for AccountB role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-cn:iam::B账户:role/B-aos-thesnapshotrole-B"
},
"Action": [
"s3:GetLifecycleConfiguration",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws-cn:s3:::A-test",
"arn:aws-cn:s3:::A-test/*"
]
}
}
注册快照存储库
注意,由于B账户跨账户注册S3,在body里面添加对应S3的endpoint,如:"endpoint":"s3.cn-north-1.amazonaws.com.cn"
PUT https://search-XXXXX.cn-north-1.es.amazonaws.com.cn/_snapshot/hyy-repo
{
"type": "s3",
"settings": {
"bucket": "A-test",
"base_path": "Aessnapshot",
"region": "cn-north-1",
"endpoint":"s3.cn-north-1.amazonaws.com.cn",
"role_arn": "arn:aws-cn:iam::B账户:role/B-aos-thesnapshotrole-B"
}
}
5 恢复快照
恢复所有数据索引
POST /_snapshot/repo/yuyang-20250528/_restore
{"indices": "-.kibana*,-.opendistro*"}
参考文档:
