Lambda的自定义角色如何与EC2角色策略一起使用? [英] How custom role(of Lambda) works with EC2 role policy?
问题描述
下面是为lambda函数( AWS :: Serverless::)创建的自定义执行角色(
): some-role-serv-LogicalID-GDGGGGGBMW2
)使用SAM模板编写的函数
Below is the custom execution role(some-role-serv-LogicalID-GDGGGGGBMW2
) created for lambda function(AWS::Serverless::Function
) written using SAM template:
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": "some-role-serv-LogicalID-GDGGGGGBMW2",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-1:111222333444:someq*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:111222333444:log-group:*",
"Effect": "Allow"
}
]
},
"name": "lambda-policy",
"type": "inline"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
其中某些权限边界
是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow",
},
{
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:ListDeadLetterSourceQueues",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:us-east-1:111222333444:someq*"
],
"Effect": "Allow",
}
]
}
some-role-serv-LogicalID-GDGGGGGBMW2
在SAM模板中分配了权限边界( some-permission-boundary
)
some-role-serv-LogicalID-GDGGGGGBMW2
is assigned a permission boundary(some-permission-boundary
) in SAM template
Lambda函数采用以下SAM模板语法作为自定义角色:
Lambda function assumes custom role with below SAM template syntax:
Role: !GetAtt LogicalID.Arn
在部署过程中,
Amidst deployment,
从EC2中的docker容器创建(使用 sam deploy
)lambda,
lambda is created(using sam deploy
) from a docker container within EC2,
其中还有一个附加角色策略(以下)由EC2假定:
where is an additional role policy(below) is assumed by EC2:
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
},
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
此EC2策略应该确保没有以下属性的任何自定义角色(例如 some-role-serv-LogicalID-GDGGGGGBMW2
):
PermissionsBoundary:!Sub arn:aws:iam :: $ {AWS :: AccountId}:policy / some-permission-boundary
不允许创建角色 some-role-serv-LogicalID-GDGGGGGBMW2
我低于错误提示堆栈创建:
I get below error while stack creation:
已成功创建堆栈但是,
1)
为什么 sam deploy
命令会收到此错误?
1)
Why sam deploy
command gets this error?
2)
EC2策略是否禁止自定义角色( some-role-serv-LogicalID-GDGGGGGBMW2
)创建时没有权限边界( some-permission-boundary
)?符合预期...
Does the EC2 policy disallow custom role(some-role-serv-LogicalID-GDGGGGGBMW2
) creation that comes without permission boundary(some-permission-boundary
)? as expected...
推荐答案
错误指出您的EC2实例(正在调用 sam的实体)已部署
操作没有执行 iam:GetRolePolicy
的权限,在这里确实是这种情况。
The error states that your EC2 instance, entity that is calling sam deploy
action does not have permissions to perform iam:GetRolePolicy
which really is the case here.
问题是,尽管您可以在这种情况下限制其他4个操作
Problem is that while you can restrict the other 4 actions with this condition
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
}
对于 GetRolePolicy
,您不能做同样的事情。此操作不能受该条件限制,否则其效果将无效。适用于此操作的唯一服务级别条件是 iam:ResourceTag
。
You can't do the same for GetRolePolicy
. This actions can't be restricted by that condition otherwise its effect is nullified. The only service level condition applicable to this action is iam:ResourceTag
.
如果转到管理控制台并尝试创建这样的IAM策略,您会看到此警告是由于您的条件与 iam:GetRolePolicy
动作相结合引起的。
If you go to management console and try to create such IAM policy, you can see this warning caused by combination of your condition with iam:GetRolePolicy
action.
此策略定义了一些
不提供权限的操作,资源或条件。要授予访问权限,策略必须有具有适当资源或条件的操作
。
This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.
解决方案是拆分语句一分为二。首先,要有一个条件,即除了提到的 iam:GetRolePolicy
以外,限制创建没有必要权限边界的IAM角色以及其他IAM操作。然后,您应该创建仅包含 iam:GetRolePolicy
且没有该条件的第二条语句。
Solution is to split your statement into two. First with that condition to restrict creation of IAM Roles that do not have necessary permission boundaries together with the other IAM actions except of the mentioned iam:GetRolePolicy
. Then you should create second statement containing just iam:GetRolePolicy
without that condition.
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
},
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
和
{
"Action": [
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
回答第二个问题。是的,您可以使用 iam:PermissionsBoundary
条件键和 iam:CreateRole
来防止没有特定权限边界的角色正在创建。
And to answer your second question. Yes, you can use iam:PermissionsBoundary
condition key together with iam:CreateRole
to prevent roles without a specific permission boundary from being created.
这篇关于Lambda的自定义角色如何与EC2角色策略一起使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!