如何使用 .yaml 文件向 AWS Lambda 函数添加策略? [英] How to add Policies to AWS Lambda function using the .yaml file?
问题描述
我正在使用 AWS Lambda、API 网关、RDS (MySQL) 开发 REST API.我正在使用 aws-sam 工具来构建、配置我的工作并将其发布到云端.
I am developing a REST API with AWS Lambda, API Gateway, RDS (MySQL). I am using the aws-sam tool to build, configure and publish my work to cloud.
请检查我现在正在使用的以下 template.yaml 文件.
Please check the below template.yaml file which I am using now.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
但是,要启用我的 lambda 函数来查找数据库,我必须从 AWS Web 控制台启用一些策略.我跟着这个链接 - https://ao.ms/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/
However to enable my lambda function to find the database, I had to enable some policies from the AWS Web console. I followed this link - https://ao.ms/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/
以下是我在 AWS Web 控制台中为我的 Lambda 函数创建的策略.
Below is the policy I created for my Lambda function in AWS web console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}
但是,从功能到功能,我都无法在 Web 控制台中执行此操作.我需要在 yaml 文件中完成这项工作.
However there is no way I can do this in web console, from function to function. I need to get this done in the yaml file.
使用上面提供的 yaml 文件,我如何将这些权限赋予我的 Lambda 函数?
With my yaml file provided above, how can I put these permissions to my Lambda function?
------------更新--------------
根据 Gaurauv 的评论,我对 yaml 文件进行了以下更改.
Following Gaurauv's comment, I made the following changes to the yaml file.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
Role: !GetAtt LambdaRole.Arn
LambdaRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: 'ec2-access-policy'
PolicyDocument:
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
但是部署失败,出现如下错误.
However it failed to deploy, following error was produced.
CREATE_FAILED AWS::IAM::Role LambdaRole Property AssumeRolePolicyDocument
cannot be empty.
推荐答案
根据 IAM::Role 资源,创建角色时需要 AssumeRolePolicyDocument.此属性管理与此角色关联的信任策略.信任策略定义了哪些实体可以承担该角色.您只能将一个信任策略与一个角色相关联.
According to the IAM::Role Resource, you need an AssumeRolePolicyDocument when creating a Role. This property manages the trust policy that is associated with this role. Trust policies define which entities can assume the role. You can associate only one trust policy with a role.
请为您的用例找到更新的角色资源
Kindly find an updated Role resource for your use-case
AWSTemplateFormatVersion: "2010-09-09"
Resources:
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
这篇关于如何使用 .yaml 文件向 AWS Lambda 函数添加策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
