允许所有cloudwatch事件规则都可以访问lambda函数 [英] Allow all cloudwatch event rules to have access to lambda function

问题描述

在尝试为cloudwatch事件规则提供访问以按计划触发lambda函数时，我遇到了lambda函数策略的硬限制。

I have been encountering a hard limit on lambda function policy when trying to provision access for a cloudwatch event rule to trigger the lambda function on a scheduled basis.

An error occurred (PolicyLengthExceededException) when calling the AddPermission operation: The final policy size (20670) is bigger than the limit (20480).

它适用于新的lambda函数，但最终其策略会肿，并且将对

It works for a new lambda function, but eventually its policy will bloat and will hit a hard limit on the number on cloudwatch event rule that can access it.

有人说要重新创建功能（删除/创建），但这在生产环境中已经配置了cloudwatch事件，导致现有事件无法访问lambda函数。

Some said to re-create the function (delete/create), but this won't be an option in a production environment where cloudwatch events are already configured in it, resulting to the existing ones to lose access to the lambda function.

使用aws cli，我能够提取出我的lambda函数的政策，它看起来像这样：

Using the aws cli, i was able to extract the policy of my lambda function, it loooks like this:

"Statement": [{
    "Sid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "Effect": "Allow",
        "Principal": {
            "Service": "events.amazonaws.com"
        },
        "Action": "lambda:*",
        "Resource": "arn:aws:lambda:xxxxx:xxxxxxxxxxx:function:xxxxxxxxxxxxx",
        "Condition": {
            "ArnLike": {
                "AWS:SourceArn": "arn:aws:events:xxxxxxx:xxxxxx:rule/xxxxxxxxx"
            }
        }
}]

所以我正在寻找类似于AWS：SourceArn

So i was looking onto something like for the AWS:SourceArn

arn:aws:events:xxxxxxx:xxxxxx:rule/*

为避免达到硬限制，但我似乎做不到。即使在控制台上的lambda函数本身中，您也无法创建这样的规则，该规则将允许指定帐户的所有cloudwatch事件使用通配符'*'访问lambda函数。

To avoid hitting a hard limit, but i cannot seem to do it. Even in the lambda function itself on the console, you won't be able to create such a rule that will allow all cloudwatch event of a specified account to have access to the lambda function using a wildcard '*'.

非常欢迎提出建议。谢谢大家

Suggestions are much welcome. Thank you guys

推荐答案

已接受，没有错误：

$ aws lambda add-permission --function-name function_name\
    --action 'lambda:InvokeFunction' --principal events.amazonaws.com \
    --statement-id '1' \
    --source-arn arn:aws:events:ap-southeast-2:123456789012:rule/*

这将接受所有CloudWatch Events规则。

This will accept all CloudWatch Events rules.

您可以改为命名规则，使您想要的规则allow都可以在名称中具有相同的前缀，例如：

You could instead name your rules such that the ones you want to allow can all have the same prefix in their name, eg:

--source-arn arn:aws:events:ap-southeast-2:123456789012:rule/Event-*

这篇关于允许所有cloudwatch事件规则都可以访问lambda函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！