amazon-web-services - 无服务器框架 lambda 执行角色不匹配?
问题描述
我正在使用无服务器框架使用 node.js 和 ajv 库制作一个简单的基于 lambda 的模式验证服务。
如此处所述,我的本地调用有效,但是当我远程调用时,我从 S3 拒绝访问。此外,当我使用我的特定资源在 aws 上运行策略模拟时,它表明已授予访问权限,现在我很困惑。
我远程调用我的函数
SLS_DEBUG=* sls invoke -f validate --data '{"schema":"valid", "schema_version":""}'
我得到的相关错误信息是:
platform-sdk fetching: POST https://api.serverless.com/core/tenants/l1nxit/applications/api/profileValue
Serverless: Invoke invoke
Serverless: [AWS lambda 200 1.555s 0 retries] invoke({ FunctionName: 'validate-stage-validate',
InvocationType: 'RequestResponse',
LogType: 'None',
Payload: '***SensitiveInformation***' })
{
"errorMessage": "Access Denied",
"errorType": "AccessDenied",
"stackTrace": [
"Request.extractError (/var/task/node_modules/aws-sdk/lib/services/s3.js:585:35)",
"Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
"Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
"Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)",
"Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)",
"AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)",
"/var/task/node_modules/aws-sdk/lib/state_machine.js:26:10",
"Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)",
"Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)",
"Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]
}
Error --------------------------------------------------
Error: Invoked function failed
at AwsInvoke.log (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/plugins/aws/invoke/index.js:105:31)
From previous event:
at Object.invoke:invoke [as hook] (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/plugins/aws/invoke/index.js:23:12)
at BbPromise.reduce (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/classes/PluginManager.js:489:55)
From previous event:
at PluginManager.invoke (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/classes/PluginManager.js:489:22)
at getHooks.reduce.then (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/classes/PluginManager.js:524:24)
From previous event:
at PluginManager.run (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/classes/PluginManager.js:524:8)
at variables.populateService.then (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/Serverless.js:115:33)
at runCallback (timers.js:705:18)
at tryOnImmediate (timers.js:676:5)
at processImmediate (timers.js:658:5)
at process.topLevelDomainCallback (domain.js:126:23)
From previous event:
at Serverless.run (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/lib/Serverless.js:102:74)
at serverless.init.then (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/bin/serverless.js:72:30)
at /Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/node_modules/graceful-fs/graceful-fs.js:111:16
at /Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/node_modules/graceful-fs/graceful-fs.js:45:10
at FSReqWrap.args [as oncomplete] (fs.js:140:20)
From previous event:
at initializeErrorReporter.then (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/bin/serverless.js:72:8)
at runCallback (timers.js:705:18)
at tryOnImmediate (timers.js:676:5)
at processImmediate (timers.js:658:5)
at process.topLevelDomainCallback (domain.js:126:23)
From previous event:
at Object.<anonymous> (/Users/myuser/.nvm/versions/node/v10.17.0/lib/node_modules/serverless/bin/serverless.js:61:4)
at Module._compile (internal/modules/cjs/loader.js:778:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
at Module.load (internal/modules/cjs/loader.js:653:32)
at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
at Function.Module._load (internal/modules/cjs/loader.js:585:3)
at Function.Module.runMain (internal/modules/cjs/loader.js:831:12)
at startup (internal/bootstrap/node.js:283:19)
at bootstrapNodeJSCore (internal/bootstrap/node.js:623:3)
Get Support --------------------------------------------
Docs: docs.serverless.com
Bugs: github.com/serverless/serverless/issues
Issues: forum.serverless.com
Your Environment Information ---------------------------
Operating System: darwin
Node Version: 10.17.0
Framework Version: 1.56.1
Plugin Version: 3.2.1
SDK Version: 2.2.0
Components Core Version: 1.1.2
Components CLI Version: 1.4.0
我从https://api.serverless.com/core/tenants/[[my profileValue]]返回的消息{"errorMessage":"Not Found"}
对我来说非常可疑,尽管我返回无服务器用户配置并没有发现任何问题。
我的 serverless.yml 配置如下:
service: validate
app: api
org: l1nxit
custom:
test: false
inputBucket: l1nxit-schemas
provider:
name: aws
runtime: nodejs8.10
# defaults
stage: stage
region: eu-central-1
user: serverless
# Lambda IAM Role
iamRoleStatements:
- Effect: "Allow"
Action:
- s3:GetObject
- s3:GetObjectAcl
Resource: "arn:aws:s3:::${self:custom.inputBucket}/*"
# packaging information
package:
include:
- node_modules/ajv/**
- node_modules/fast-deep-equal/**
- node_modules/fast-json-stable-stringify/**
- node_modules/json-schema-traverse/**
- node_modules/uri-js/**
exclude:
- S3/**
- __tests__/**
- .idea/**
- coverage/**
functions:
validate:
handler: handler.validate
environment:
TEST: ${self:custom.test}
INPUT_BUCKET: ${self:custom.inputBucket}
任何帮助将非常感激。
解决方案
要从 S3 获取对象,重要的是有权列出您要从中获取对象的存储桶。在您的iamRoleStatement中,添加执行此操作的权限:
- Effect: "Allow"
Action:
- "s3:ListBucket"
Resource: "arn:aws:s3:::${self:custom.inputBucket}"
推荐阅读
- sql - 当我添加额外的过滤器时,为什么我的查询不起作用?
- node.js - 如何根据用户选择或输入的第一个输入字段来实现 material-ui 自动完成
- html - 在网格中拟合图像
- amazon-web-services - AWS Batch 作业因内存需求 == 内存限制而被终止?
- python - Python- 使用多个字典解析 .txt 文件
- shell - Shell:如何计算当前 MMYY 到上一个日期(-15 个月)
- python - 更快地遍历 xarray 和 dataframe
- azure - 如何将试用内容从 Video Indexer 迁移到付费帐户?
- android - 是否可以将应用主题的资源ID获取到特定视图?
- regex - 大写字符后的正则表达式语句句点