时间戳

首页 > 解决方案 > AWS Lambda 从 Codepipeline 调用权限被拒绝错误

python - AWS Lambda 从 Codepipeline 调用权限被拒绝错误

问题描述

我已将管道设置为调用 AWS Lamba 函数。运行30分钟后显示错误

AWS Lambda 函数 cloudfront-invalidation 未能返回结果。检查该函数以验证它是否有权调用 PutJobSuccessResult 操作以及是否调用了 PutJobSuccessResult。

Lambda 角色具有设置 PutJobSuccessResult 的权限,并且 Codepipeline 服务角色具有调用 lambda 函数的权限。

这是我的 lambda 代码:

import boto3
import time

def lambda_handler(context, event):

    sts_connection = boto3.client('sts')
    acct_b = sts_connection.assume_role(
        RoleArn="arn:aws:iam::1234567890:role/AssumeRole",
        RoleSessionName="cross_acct_lambda"
    )
    
    ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
    SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
    SESSION_TOKEN = acct_b['Credentials']['SessionToken']

    client = boto3.client(
        'cloudfront',
        aws_access_key_id=ACCESS_KEY,
        aws_secret_access_key=SECRET_KEY,
        aws_session_token=SESSION_TOKEN,
    )
    
    response = client.create_invalidation(
        DistributionId='ABC',
        InvalidationBatch={
            'Paths': {
                'Quantity': 1,
                'Items': [
                    '/*',
                ]
            },
            'CallerReference': str(time.time()).replace(".", "")
        }
    )
    invalidation_id = response['Invalidation']['Id']
    
    print("Invalidation created successfully with Id: " + invalidation_id)
    
    pipeline = boto3.client('codepipeline')
    
    response = pipeline.put_job_success_result(
        jobId= event['CodePipeline.job']['id'] 
    )
    return response

标签: pythonpython-3.xaws-lambdaaws-codepipeline

解决方案

问题解决了。下面更新了 lambda:

import boto3
import time
import json
import logging

def lambda_handler(event, context):

    sts_connection = boto3.client('sts')
    acct_b = sts_connection.assume_role(
        RoleArn="arn:aws:iam::123456789:role/CloudfrontAssumeRole",
        RoleSessionName="cross_acct_lambda"
    )
    
    ACCESS_KEY = acct_b['Credentials']['AccessKeyId']
    SECRET_KEY = acct_b['Credentials']['SecretAccessKey']
    SESSION_TOKEN = acct_b['Credentials']['SessionToken']

    client = boto3.client(
        'cloudfront',
        aws_access_key_id=ACCESS_KEY,
        aws_secret_access_key=SECRET_KEY,
        aws_session_token=SESSION_TOKEN,
    )
    
    response = client.create_invalidation(
        DistributionId='ABCD',
        InvalidationBatch={
            'Paths': {
                'Quantity': 1,
                'Items': [
                    '/*',
                ]
            },
            'CallerReference': str(time.time()).replace(".", "")
        }
    )
    invalidation_id = response['Invalidation']['Id']
    
    print("Invalidation created successfully with Id: " + invalidation_id)
    
    logger = logging.getLogger()
    logger.setLevel(logging.INFO)
    logger.debug(json.dumps(event))
 
    codepipeline = boto3.client('codepipeline')
    job_id = event['CodePipeline.job']['id']
 
    try:
        logger.info('Success!')
        response = codepipeline.put_job_success_result(jobId=job_id)
        logger.debug(response)
    except Exception as error:
        logger.exception(error)
        response = codepipeline.put_job_failure_result(
            jobId=job_id,
            failureDetails={
              'type': 'JobFailed',
              'message': f'{error.__class__.__name__}: {str(error)}'
            }
        )
        logger.debug(response)

推荐阅读