aws-lambda - Lambda 链接 - 使用 terraform 从另一个 lambda 调用 lambda
问题描述
我正在尝试从另一个调用一个 AWS lambda 并执行 lambda 链接。这样做的理由是 AWS 不提供来自同一个 S3 存储桶的多个触发器。
我创建了一个带有 s3 触发器的 lambda。第一个 lambda 的 java 代码将监听 S3 事件并包含另一个 lambda 的调用。第二个 lambda 将从第一个 lambda 调用。lambda 的创建都是由 terraform 完成的。
Lambda A 有 S3 触发器。这将在特定存储桶上的 S3 事件上调用。Lambda A 将进行处理并使用调用请求调用 Lambda B。java中来自Lambda A代码的Lambda B调用是:
public class EventHandler implements RequestHandler<S3Event, String> {
@Override
public String handleRequest(S3Event event, Context context) throws RuntimeException {
InvokeRequest req = new InvokeRequest()
.withFunctionName("LambdaFunctionB")
.withPayload(json);
return "Lambda B invoked"
}
}
两个 lambdas 都是使用 terraform 创建的。下面的脚本:
Lambda A terraform:
module "lambda_function" {
source = "Git Path"
absolute_artifact_path = "../lambda.jar"
lambda_function_name = "LambdaFunctionA"
lambda_function_description = ""
lambda_function_runtime = "java8"
lambda_handler_name = "EventHandler"
lambda_execution_role_name = "lambda-iam-role"
lambda_memory = "512"
dead_letter_target_arn = "error-handling-arn"
}
resource "aws_lambda_permission" "allow_bucket" {
statement_id = "statementId"
action = "lambda:InvokeFunction"
function_name = "${module.lambda_function.lambda_arn}"
principal = "s3.amazonaws.com"
source_arn = "s3.bucket.arn"
}
resource "aws_s3_bucket_notification" "bucket_notification" {
bucket = "bucketName"
lambda_function {
lambda_function_arn = "${module.lambda_function.lambda_arn}"
events = ["s3:ObjectCreated:*"]
filter_prefix = "path/subPath"
}
}
Lambda B 地形:
module "lambda_function" {
source = "git path"
absolute_artifact_path = "../lambda.jar"
lambda_function_name = "LambdaFunctionB"
lambda_function_description = ""
lambda_function_runtime = "java8"
lambda_handler_name = "LambdaBEventHandler"
lambda_execution_role_name = "lambda-iam-role"
lambda_memory = "512"
dead_letter_target_arn = "error-handling-arn"
}
resource "aws_lambda_permission" "allow_lambda" {
statement_id = "AllowExecutionFromLambda"
action = "lambda:InvokeFunction"
function_name = "${module.lambda_function.lambda_arn}"
principal = "s3.amazonaws.com"
source_arn = "arn:aws:lambda:eu-west-1:xxxxxxxxxx:function:LambdaFunctionA"
}
lambda-iam-role 附加了以下策略
AmazonS3FullAccess
AWSLambdaBasicExecutionRole
AWSLambdaVPCAccessExecutionRole
AmazonSNSFullAccess
CloudWatchEventsFullAccess
期望是 Lambda A 应该成功调用 Lambda B。但是我在 Lambda A 日志中收到 AccessDeniedException 并且它无法调用 Lambda B。错误是
com.amazonaws.services.lambda.model.AWSLambdaException: User: arn:aws:sts::xxxxxxxxx:assumed-role/lambda-iam-role/LambdaFunctionA is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-1:xxxxxxxxx:function:LambdaFunctionB (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: f495ede3-b3cb-47a1-b884-16996545233d)
解决方案
- 希望这对您有所帮助,不完全相似,但它从另一个 lambda Github调用一个 lambda
- 我认为 lambda 也需要这个策略 "lambda:InvokeFunction"
推荐阅读
- customization - 如何自定义 Wagtail 页面复制体验?
- scala - Spark多个动态聚合函数,countDistinct不起作用
- java - Cucumber中如何将获取Webdriver配置、关闭资源等常用方法放到一个通用类中?
- julia - 如何更改 Julia 代码中的 CPLEX 参数?
- java - Akka 自动驾驶是否响应已经发送的消息
- excel - 如果尚未填充先前的单元格,如何限制单元格数组的数据输入?
- html - 将垂直范围滑块与末端的按钮对齐
- hashicorp-vault - 如何使用从策略创建的令牌访问 Vault 机密?
- tableau-api - 如何对表中的数据进行分组 (tableau)
- haskell - 在 Haskell 中将关联函数标记为严格以避免空间泄漏