使用CloudFormation和API Gateway代理进行设置时出现Lambda权限错误 [英] Lambda permissions error when setup using CloudFormation and API Gateway proxy
问题描述
我正在尝试编写一个cloudformation脚本,该脚本将创建一个lambda函数并将其连接到API Gateway代理资源。堆栈创建可行,但是权限或集成配置有问题,当我测试端点时,我不断得到
I am trying to write a cloudformation script that would create a lambda function and hook it up to the API Gateway proxy resource. Stack creation works, but there is something wrong with permissions or integration config, when I test the endpoint, I keep getting
Mon Feb 12 06 :45:28 UTC 2018:
转换之前的端点响应正文:无法使
确定要授权的服务/操作名称
Mon Feb 12 06:45:28 UTC 2018 : Endpoint response body before transformations: Unable to determine service/operation name to be authorized
Mon Feb 12 06:45:28 UTC 2018:端点响应标头:
{Connection = keep-alive,
x-amzn-RequestId = 4fdf1e92-0fc0-11e8-b3f1-0134476f962c,
Content-Length = 130,Date = Mon,12 Feb 2018 06:45:28 GMT} Mon Feb 12
06:45:28 UTC 2018:由于配置错误,执行失败:
Lambda代理响应格式错误Mon Feb 12 06:45:28 UTC 2018:方法
完成且状态为:502
Mon Feb 12 06:45:28 UTC 2018 : Endpoint response headers: {Connection=keep-alive, x-amzn-RequestId=4fdf1e92-0fc0-11e8-b3f1-0134476f962c, Content-Length=130, Date=Mon, 12 Feb 2018 06:45:28 GMT} Mon Feb 12 06:45:28 UTC 2018 : Execution failed due to configuration error: Malformed Lambda proxy response Mon Feb 12 06:45:28 UTC 2018 : Method completed with status: 502
这是我的cloudformation脚本:
Here is my cloudformation script:
AWSTemplateFormatVersion: 2010-09-09
Description: An API that proxies requests to another HTTP endpoint
Resources:
MyFunction:
Type: 'AWS::Lambda::Function'
Properties:
Handler: samplefunction.lambda_handler
Runtime: python2.7
Code:
S3Bucket: "ilya-lambdas"
S3Key: "lambda-code.zip"
Role: 'arn:aws:iam::acc-id:role/service-role/basic_lambda_role'
Api:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: foo3
Resource:
Type: 'AWS::ApiGateway::Resource'
Properties:
ParentId: !GetAtt Api.RootResourceId
RestApiId: !Ref Api
PathPart: 'test'
RootMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
AuthorizationType: NONE
HttpMethod: ANY
ResourceId: !GetAtt Api.RootResourceId
RestApiId: !Ref Api
Integration:
IntegrationHttpMethod: ANY
IntegrationResponses:
- StatusCode: 200
SelectionPattern: .*
Type: AWS_PROXY
PassthroughBehavior: WHEN_NO_MATCH
Uri: !Join ["", ["arn:aws:apigateway:", "us-east-1", ":lambda:path/2015-03-31/functions/", !GetAtt MyFunction.Arn, "/invocations"] ]
Credentials: 'arn:aws:iam::acc-id:role/service-role/basic_lambda_role'
ProxyMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
HttpMethod: ANY
ResourceId: !Ref Resource
RestApiId: !Ref Api
AuthorizationType: NONE
Integration:
IntegrationHttpMethod: ANY
IntegrationResponses:
- StatusCode: 200
SelectionPattern: .*
Type: AWS_PROXY
Uri: !Join ["", ["arn:aws:apigateway:", "us-east-1", ":lambda:path/2015-03-31/functions/", !GetAtt MyFunction.Arn, "/invocations"] ]
PassthroughBehavior: WHEN_NO_MATCH
Credentials: 'arn:aws:iam::acc-id:role/service-role/basic_lambda_role'
FunctionPermissions:
Type: "AWS::Lambda::Permission"
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !GetAtt MyFunction.Arn
Principal: "apigateway.amazonaws.com"
SourceArn: !Join [ "", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref Api, "/*/*/*" ] ]
Deployment:
DependsOn:
- MyFunction
- RootMethod
- ProxyMethod
Type: 'AWS::ApiGateway::Deployment'
Properties:
RestApiId: !Ref Api
StageName: prod
我已经坚持了一段时间,任何指针将不胜感激。
I've been stuck on this for a while now, any pointers will be greatly appreciated.
推荐答案
经过一番尝试和错误,结合Miles的建议,我到达了有效的CloudFormation脚本:
After some trial and error, combined with Miles' advice, I've arrived at the working CloudFormation script:
AWSTemplateFormatVersion: 2010-09-09
Description: An API that proxies requests to another HTTP endpoint
Resources:
MyFunction:
Type: 'AWS::Lambda::Function'
Properties:
Handler: samplefunction.lambda_handler
Runtime: python2.7
Code:
S3Bucket: "ilya-lambdas"
S3Key: "lambda-code.zip"
Role: !Join ["", ["arn:aws:iam::", !Ref "AWS::AccountId", ":role/service-role/basic_lambda_role"] ]
Api:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: foo3
Resource:
Type: 'AWS::ApiGateway::Resource'
Properties:
ParentId: !GetAtt Api.RootResourceId
RestApiId: !Ref Api
PathPart: 'test'
RootMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
AuthorizationType: NONE
HttpMethod: ANY
ResourceId: !GetAtt Api.RootResourceId
RestApiId: !Ref Api
Integration:
IntegrationHttpMethod: POST
Type: AWS_PROXY
PassthroughBehavior: WHEN_NO_MATCH
Uri: !Join ["", ["arn:aws:apigateway:", "us-east-1", ":lambda:path/2015-03-31/functions/", !GetAtt MyFunction.Arn, "/invocations"] ]
ProxyMethod:
Type: 'AWS::ApiGateway::Method'
Properties:
HttpMethod: ANY
ResourceId: !Ref Resource
RestApiId: !Ref Api
AuthorizationType: NONE
Integration:
IntegrationHttpMethod: POST
Type: AWS_PROXY
Uri: !Join ["", ["arn:aws:apigateway:", "us-east-1", ":lambda:path/2015-03-31/functions/", !GetAtt MyFunction.Arn, "/invocations"] ]
PassthroughBehavior: WHEN_NO_MATCH
FunctionPermissions:
Type: "AWS::Lambda::Permission"
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !GetAtt MyFunction.Arn
Principal: "apigateway.amazonaws.com"
SourceArn: !Join [ "", ["arn:aws:execute-api:", !Ref "AWS::Region", ":", !Ref "AWS::AccountId", ":", !Ref Api, "/*" ] ]
Deployment:
DependsOn:
- MyFunction
- RootMethod
- ProxyMethod
Type: 'AWS::ApiGateway::Deployment'
Properties:
RestApiId: !Ref Api
StageName: prod
我昨天(不工作)与之前的区别的摘要(工作):
Summary of differences between what I had yesterday (not working), and this (working):
- 从<$ c $中删除了
Credentials对象c> Integration 部分。 - 将
IntegrationHttpMethod从ANY更改为POST(对Miles表示感谢) ) - 在
FunctionPermissions下已将SourceArn更改为以/ * 而不是 / * / * / *
- Removed the
Credentialsobject from theIntegrationsections. - Changed
IntegrationHttpMethodfrom ANY to POST (kudos to Miles for pointing this out) - Under
FunctionPermissionschangedSourceArnto end with/*instead of/*/*/*
在这种情况下,我的lambda函数的响应不是问题,但务必正确设置其格式。所以这是我的功能,希望将所有功能放在一个地方会对人们有所帮助。
While in this instance response of my lambda function wasn't a problem, it is important that it is formatted correctly. So here is my function, hope having it all in one place will be helpful to folks.
def lambda_handler(event, context):
response = {
"isBase64Encoded": "false",
"statusCode": 200,
"headers": { "Content-Type": "application/json"},
"body": "hello from sample function"
}
return response
这篇关于使用CloudFormation和API Gateway代理进行设置时出现Lambda权限错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
