amazon-web-services - AWS STS 临时凭证 InvokeFunction lambda 不起作用
问题描述
我正在为包含以下 lambda 权限语句的用户界面颁发 STS 令牌:
{
"Sid" : "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-2:*:function:CreateThumbnail",
"arn:aws:lambda:us-east-2:*:function:ImageScanner"
]
},
当我尝试从浏览器中的 aws-sdk.js 调用该函数时,我收到一条错误消息:
"User: arn:aws:sts::123456789012:assumed-role/test_sts_role/user-12345 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:198765432109:function:ImageScanner"
我是否遗漏了该政策中的某些内容?
解决方案
我发现了问题,您的保单缺少帐号。应该是这样
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:ap-southeast-2:012345678901:function:*"
]
}
]
}
注意:您还应该将此策略分配给您担任的角色,而不是分配给正在担任的用户。你能确认那部分吗?
参考:https ://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/