从 Kinesis Firehose 拒绝 Lambda.InvokeAccess [英] Lambda.InvokeAccessDenied from Kinesis Firehose

问题描述

我正在尝试使用 Firehose 传输流设置 Lambda 转换.我为 Firehose 定义了一个 IAM 角色，其中包括以下策略文档:

I'm trying to set up Lambda transformations with a Firehose delivery stream. I have an IAM role defined for the Firehose which includes the following policy document:

{
    "Statement": {
        "Action": [
            "lambda:InvokeFunction",
            "lambda:GetFunctionConfiguration"
        ],
        "Resource": [<Arn>, ...],
        "Effect": "Allow"
    }
}

我还授予 sts:AssumeRole 访问 Firehose 中的 Lambda 角色的权限.

I've also granted sts:AssumeRole access to the Lambda role from Firehose.

理论上，这应该授予我的 Firehose调用"访问指定 lambda ARN 的权限.但是转换失败了

This should theoretically grant my Firehose "Invoke" access to the specified lambda ARNs. But the transforms are failing with

{
  "errorCode":"Lambda.InvokeAccessDenied",
  "errorMessage":"Access was denied. Ensure that the access policy allows access to the Lambda function."
}

并且从 Lambda 控制台看不到任何函数调用.我的 IAM 组件配置正确吗?或者这里可能出了什么问题?

and no function invocations are apparent from the Lambda console. Do I have my IAM components configured correctly? Or could something else be going wrong here?

推荐答案

在我的 Firehose 的 ProcessingConfiguration 的其他地方，我提供了一个角色来执行没有足够权限的 lambda.通过删除

Elsewhere in the ProcessingConfiguration for my Firehose, I had supplied a role to execute the lambda which did not have adequate permissions. By removing

- ParameterName: RoleArn
  ParameterValue:
    Fn::GetAtt: [<Role>, Arn]

从 ProcessingConfiguration 配置集中，lambda 能够使用适当的角色/策略成功执行.

from the ProcessingConfiguration config set, the lambda was able to execute successfully using the appropriate role/policy.

这篇关于从 Kinesis Firehose 拒绝 Lambda.InvokeAccess的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！