时间戳

首页 > 解决方案 > AWS StepFunctions:通过 lambda 使用 AWS-SDK 创建状态机时出错

amazon-web-services - AWS StepFunctions:通过 lambda 使用 AWS-SDK 创建状态机时出错

问题描述

我正在尝试使用 AWS sdk 在 AWS stepfunctions 中创建一个状态机,例如,

stepfunctions.createStateMachine(params, function(err, data)...

我在 AWS 控制台中创建了一个 lambda,并添加了用于创建状态机的代码。我还为角色提供了执行此 lambda 并创建状态机的权限。我也使用模拟器验证了角色权限,这很好(允许)。但是当我执行 lambda 时,我得到了 AcccessDeniedException。

   errorMessage": "User: arn:aws:sts::555555555:assumed-role/SFN_API_role/SFAPITest is not authorized to perform: states:CreateStateMachine on resource: arn:aws:states:us-east-1:555555555:stateMachine:*",
  "errorType": "AccessDeniedException

“SFN_API_role”是角色,“SFAPITest”是 lambda。这是定义的策略:

 {
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "states:ListStateMachines",
            "states:ListActivities",
            "states:CreateStateMachine",
            "states:CreateActivity"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "iam:PassRole"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "lambda:*"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "states:DescribeStateMachine",
            "states:StartExecution",
            "states:DeleteStateMachine",
            "states:ListExecutions"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "states:DescribeExecution",
            "states:GetExecutionHistory",
            "states:StopExecution"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "states:DescribeActivity",
            "states:DeleteActivity",
            "states:GetActivityTask",
            "states:SendTaskSuccess",
            "states:SendTaskFailure",
            "states:SendTaskHeartbeat"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

任何指针表示赞赏!

标签: amazon-web-servicesaws-lambdaaws-step-functionsaws-iamamazon-iam

解决方案

您正在使用"Resource": ["*"]而不是"Resource": "*". 只需将您的政策的第一部分更改为以下内容:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "states:ListStateMachines",
            "states:ListActivities",
            "states:CreateStateMachine",
            "states:CreateActivity"
        ],
        "Resource": "*"
    },
...

推荐阅读