时间戳

首页 > 解决方案 > sls 为 lambda 部署多个 IAM 角色,该角色假定错误的角色缺少权限

amazon-web-services - sls 为 lambda 部署多个 IAM 角色,该角色假定错误的角色缺少权限

问题描述

我目前正在运行一个具有 2 个 lambda 函数的 sls 项目。一个将项目推送到发电机,另一个在将项目推送到发电机(流)时触发。“进程 lambda” -> DDB -> “构建 lambda”。

使用 sls 在本地进行测试时,所有 PutItem 调用都有效。在sls deployaws上进行实时测试时,我遇到了拒绝访问问题:

assumed-role/app-client-onboarder-dev-us-east-2-lambdaRole/app-client-onboarder-dev-app_new_client_process is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:123456789:table/dev-app-clients

当我查看 IAM 时,此部署有 2 个角色(我认为只有 1 个)

  1. arn:aws:iam::123456789:role/AppClient-dev-BuildProcessLambdaExecutionRole
  2. arn:aws:iam::123456789:role/app-client-onboarder-dev-us-east-2-lambdaRole

看起来上面假设的角色是assumed-role/role 1./role 2.

让部署的 lambdas 承担定义的角色,我缺少什么 w/r/t 新角色和 sls 策略?第二个“部署”级别的角色从何而来?

摘录serverless.yml如下。

service: app-client-onboarder


provider:
  name: aws
  runtime: nodejs12.x
  region: us-east-2
  stage: dev

functions:
  app_new_client_process:
    handler: lambda/handler.app_new_client_process
    tracing: true
    environment:
      DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
      DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}

  app_new_client_build_resources:
    handler: lambda/handler.app_new_client_build_resources
    tracing: true
    events:
      - stream: ${self:custom.client-table-updates.${self:provider.stage}}
    environment:
      DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
      DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}


resources:
  Resources: 
    appClientBuildProcessLambdaExecutionRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: appClient-${self:provider.stage}-BuildProcessLambdaExecutionRole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
        - PolicyName: appClientDynamoDBIamPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "dynamodb:DescribeTable"
                  - "dynamodb:GetItem"
                  - "dynamodb:PutItem"
                  - "dynamodb:DescribeStream"
                  - "dynamodb:ListStreams"
                  - "dynamodb:ListTables"
                Resource: "arn:aws:dynamodb:*:146449424444:table/*app-client*"
        - PolicyName: appLogsIamPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "arn:aws:logs:*:146449424444:*"
        - PolicyName: appXrayTracingPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "xray:PutTraceSegments"
                  - "xray:PutTelemetryRecords"
                Resource: "*"

plugins: 
  - serverless-plugin-tracing

标签: amazon-web-servicesserverless

解决方案

将资源中定义的角色名称设置为适当的范围。

provider级别:

provider:
  name: aws
  runtime: nodejs12.x
  region: us-east-2
  stage: dev
  role: AppExRole

function如果每个函数具有不同的权限集,则为级别

functions
  f1:
    role: AppExRole
  f2:
    role: AppExRole2

推荐阅读