如何授予API网关通过CloudFormation调用lambda函数的权限？ [英] How can I grant permission to API Gateway to invoke lambda functions through CloudFormation?

问题描述

我一直在网上寻找答案。

I've been all over the web searching for an answer to this.

本质上，我们正在使用Swagger编写一个API，它很棒而且有效很好，但是一件事不起作用...当我们调用Endpoint时，会出现500错误（不是从AWS提供的500错误）。错误状态为由于配置错误，执行失败：Lambda函数的权限无效（ https://youtu.be/H4LM_jw5zzs<--这是另一个用户拍摄的关于我遇到的错误的视频）。

Essentially, we're spinning up an API using Swagger, which is awesome and works great, but one thing doesn't work... When we make a call to an Endpoint, we get a 500 error (it's not a 500 error that we're providing either it's one from AWS). The error states "Execution failed due to configuration error: Invalid permissions on Lambda function" (https://youtu.be/H4LM_jw5zzs <- This is a video, from another user, of the error I'm getting).

我走了很多坑，发现了一个answer ...它涉及使用AWS CLI，并且看起来有点像这样：

I've gone down many ratholes, and have found an answer... It involves using the AWS CLI and looks a bit like this:

aws lambda add-permission \
--function-name FUNCTION_NAME \
--statement-id STATEMENT_ID \
--action lambda:InvokeFunction \
--principal apigateway.amazonaws.com \
--source-arn "arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID/*/METHOD/ENDPOINT"

这非常好，但我们正在使用CloudFormation加速所有操作，我们希望这是自动化的。有没有更简单的方法可以做到这一点？ CloudFormation中是否有某些东西可以为我们提供我们所需的资源策略？

This is great and all, but we are using CloudFormation to spin up everything and we want this to be automated. Is there an easier way to go about this? Is there something in CloudFormation that will give us the resource policy that we need?

我为此遇到了困难，但我一直在努力今天已经花了几个小时，对于我们的API版本来说，它有点阻塞，因此，我们将不胜感激。 ：）

I'm hitting a bit of a wall with this, but I've been working on it for a few hours today and it's a bit of a blocker for our API release, so any help would be much appreciated. :)

推荐答案

有一个 CloudFormation 解决方案。请参见以下 CloudFormation 片段：

There is a CloudFormation solution to this problem. See the following CloudFormation snippet:

"Permission": {
    "Type": "AWS::Lambda::Permission",
    "Properties": {
        "FunctionName": { "Fn::GetAtt": [ "Lambda", "Arn" ] },
        "Action": "lambda:InvokeFunction",
        "Principal": "apigateway.amazonaws.com",
        "SourceArn": { "Fn::Join": [ "", [
            "arn:aws:execute-api:",
            { "Ref": "AWS::Region" }, ":",
            { "Ref": "AWS::AccountId" }, ":",
            { "Ref": "API" },
            "/*/*/*"
        ] ] }
    }
}

这将授予 API网关权限启动 Lambda 函数。此代码段中需要更改的变量是 Lambda （第4行）和 API （第11行）。

This grants API Gateway permissions to launch your Lambda function. Variables in this snippet you need to change are Lambda (line 4) and API (line 11).

这篇关于如何授予API网关通过CloudFormation调用lambda函数的权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！