amazon-web-services - sls 为 lambda 部署多个 IAM 角色,该角色假定错误的角色缺少权限
问题描述
我目前正在运行一个具有 2 个 lambda 函数的 sls 项目。一个将项目推送到发电机,另一个在将项目推送到发电机(流)时触发。“进程 lambda” -> DDB -> “构建 lambda”。
使用 sls 在本地进行测试时,所有 PutItem 调用都有效。在sls deploy
aws上进行实时测试时,我遇到了拒绝访问问题:
assumed-role/app-client-onboarder-dev-us-east-2-lambdaRole/app-client-onboarder-dev-app_new_client_process is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:123456789:table/dev-app-clients
当我查看 IAM 时,此部署有 2 个角色(我认为只有 1 个)
- arn:aws:iam::123456789:role/AppClient-dev-BuildProcessLambdaExecutionRole
- arn:aws:iam::123456789:role/app-client-onboarder-dev-us-east-2-lambdaRole
看起来上面假设的角色是assumed-role/role 1./role 2.
- 第一个是在资源中定义的(见底部),带有单独的策略
- 第二个看起来是为这个 cf/sls 部署构建的——这个有一个包含多个语句的单一策略,缺少关键权限(如 dynamodb:PutItem)。
让部署的 lambdas 承担定义的角色,我缺少什么 w/r/t 新角色和 sls 策略?第二个“部署”级别的角色从何而来?
摘录serverless.yml
如下。
service: app-client-onboarder
provider:
name: aws
runtime: nodejs12.x
region: us-east-2
stage: dev
functions:
app_new_client_process:
handler: lambda/handler.app_new_client_process
tracing: true
environment:
DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}
app_new_client_build_resources:
handler: lambda/handler.app_new_client_build_resources
tracing: true
events:
- stream: ${self:custom.client-table-updates.${self:provider.stage}}
environment:
DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}
resources:
Resources:
appClientBuildProcessLambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: appClient-${self:provider.stage}-BuildProcessLambdaExecutionRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: appClientDynamoDBIamPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- "dynamodb:DescribeTable"
- "dynamodb:GetItem"
- "dynamodb:PutItem"
- "dynamodb:DescribeStream"
- "dynamodb:ListStreams"
- "dynamodb:ListTables"
Resource: "arn:aws:dynamodb:*:146449424444:table/*app-client*"
- PolicyName: appLogsIamPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Resource: "arn:aws:logs:*:146449424444:*"
- PolicyName: appXrayTracingPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- "xray:PutTraceSegments"
- "xray:PutTelemetryRecords"
Resource: "*"
plugins:
- serverless-plugin-tracing
解决方案
将资源中定义的角色名称设置为适当的范围。
在provider
级别:
provider:
name: aws
runtime: nodejs12.x
region: us-east-2
stage: dev
role: AppExRole
function
如果每个函数具有不同的权限集,则为级别
functions
f1:
role: AppExRole
f2:
role: AppExRole2
推荐阅读
- android - 许可应用程序 android 解锁有用
- android - Android 应用程序在 OneSignal 推送通知上崩溃
- ruby-on-rails - 载波重新创建版本!损坏原始图像
- python-3.x - 无法在 Python 中重新启动 While 循环
- php - 错误:在 c 面板上使用密码 yes 拒绝用户“@localhost”访问
- spring-boot - Spring Boot WebLogic 12c Jndi 数据源
- javascript - AJAX 和 JQuery 表单订阅问题的代码
- javascript - 如何在点击时获得声音并在计算器显示屏中显示 7
- swift - transferUtility.uploadData 与 iOS 模拟器完美配合,但在实际设备 iOS13 上测试时无法正常工作
- javascript - 将表单数据作为 json 发送到服务器