Lambda函数承担的假定角色的ARN是多少？ [英] What is the ARN of an assumed role assumed by a Lambda function?

问题描述

我试图在我的存储桶策略中使用NotPrincipal元素来明确拒绝对s3存储桶的访问，同时将访问该存储桶的特定Lambda列入白名单。我在NotPrincipal元素中为lambda角色指定了角色ARN并假定角色ARN：

I am trying to use the NotPrincipal element in my bucket policy to explicitly deny access to my s3 bucket while whitelisting a particular lambda that accesses the bucket. I specified the role ARN and assumed role ARN for the lambda's role in the NotPrincipal element:

arn：aws：iam :: {Account ID}：role / service-角色/ {Lambda角色名称}，

"arn:aws:iam::{Account ID}:role/service-role/{Lambda role name}",

arn：aws：sts :: {帐户ID}：假定角色/ {Lambda角色名称} / {角色会话name}

"arn:aws:sts::{Account ID}:assumed-role/{Lambda role name}/{role session name}"

此文档解释了假定角色ARN的结构：
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids

This doc explains the structure of the assumed role ARNs: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids

我似乎无法正确地假定角色ARN。存储桶策略有效，但似乎我可以为角色会话名称（假定角色ARN的最后一部分）提供任何内容，并且该ARN被视为有效。当Lambda或其他服务担任服务角色时，AWS将此角色会话名称设置为什么？是否可以列出角色的活动会话或列出角色的ARN？我当前使用Lambda函数名称作为角色会话名称，但这不起作用（Lambda仍然无法访问存储桶）。

I can't seem to get the assumed role ARN correct. The bucket policy is valid, but it seems I can provide anything for the role session name (the last part of the assumed-role ARN), and the ARN is considered valid. What does AWS set this role session name to when Lambda or other service assumes a service role? Is it possible to list active sessions for a role or list the assumed-role ARNs? I am currently using the Lambda function name for the role session name, but this is not working (the Lambda still cannot access the bucket).

因为我无法使用在NotPrincipal元素中使用通配符，我需要Lambda承担角色后的完整假定角色ARN。

Since I can't use wildcards in the NotPrincipal element, I need the full assumed-role ARN of the Lambda once it assumes the role.

更新：

我尝试使用两个条件拒绝ARN与Lambda角色或假定角色的ARN不匹配的所有请求。 Lambda角色仍然无法使用IAM策略模拟器写入S3。政策如下：

I tried using two conditions to deny all requests where the ARN does not match the ARN of the Lambda role or assumed role. The Lambda role is still denied from writing to S3 using the IAM policy simulator. Here is the policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "WhitelistRegistryAPILambdaRole",
        "Effect": "Deny",
        "Principal": "*",
        "Action": [
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion",
            "s3:GetObjectVersion",
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::{bucket name}",
            "arn:aws:s3:::{bucket name}/*"
        ],
        "Condition": {
            "ArnNotLike": {
                "AWS:SourceARN": "arn:aws:iam::{account ID}:role/{lambda role name}"
            }
        }
    },
    {
        "Sid": "WhitelistRegistryAPILambdaAssumedRole",
        "Effect": "Deny",
        "Principal": "*",
        "Action": [
            "s3:PutObject",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion",
            "s3:GetObjectVersion",
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::{bucket name}",
            "arn:aws:s3:::{bucket name}/*"
        ],
        "Condition": {
            "ArnNotLike": {
                "AWS:SourceARN": "arn:aws:sts::{account ID}:assumed-role/{lambda role name}/{lambda function name}"
            }
        }
    }
]

}

推荐答案

TL; DR：

Lambda的假定角色ARN函数的构造如下：

TL;DR:

The Assumed Role ARN of a Lambda Function is constructed as this:

arn:aws:sts::{AccountID}:assumed-role/{RoleName}/{FunctionName}

---

详细信息：

因此，在您的情况下，角色会话名称是lambda函数名称。
通过尝试从您没有权限的Lambda（例如，DynamoDB ListTables）中调用API，可以轻松地验证这一点。回调中的错误消息还将包含假定的角色ARN（请注意，当操作被拒绝时，诸如S3之类的某些服务不会提供详细的错误消息。DynamoDB，Lambda和大多数最近启动的服务都将提供。）

---

Details:

So the "role session name" is, in your case, the lambda function name. You can easily verify this, by trying to call an API from your Lambda (DynamoDB ListTables for example) for which you do not have permissions. The error message in the callback will also contain the assumed role ARN (note that some service such as S3 do not provide detailed error messages when an operation is denied. DynamoDB, Lambda, and most of the recently launched services, will.)

我不确定要为什么需要NotPrincipal，因为可能有更好的方法来处理您描述的情况：）更多信息对提供更精确的答案。

来自 AWS IAM文档：

重要提示：很少有情况需要使用NotPrincipal，而我们
建议您在
决定使用NotPrincipal之前探索其他授权选项。

Important: Very few scenarios require the use of NotPrincipal, and we recommend that you explore other authorization options before you decide to use NotPrincipal.

这篇关于Lambda函数承担的假定角色的ARN是多少？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！