无法获取SAM模板资源中策略定义的语法（无服务器功能） [英] Could not get the syntax of policy definition in SAM template resource(serverless function)

问题描述

AWS受管策略（ AWSLambdaExecute ）的策略定义为：

  {
版本： 2012-10-17，
声明：[
 {
效果：允许 ，
 Action：[ logs：*]，
 Resource： arn：aws：logs：*：*：* 
}，
 {
效果：允许，
动作：[ s3：GetObject， s3：PutObject]，
资源： arn：aws：s3 ::: * 
} 
] 
} 
  

---

但是

---

我们是否覆盖了 AWSLambdaExecute

解决方案

在指定策略时，基本上是在构建lambda函数的执行角色。

p>

策略是策略列表，因为角色可以包含多个策略。

此行

 -AWSLambdaExecute＃受管策略
  

声明您正在创建的lambda函数应包括此AWS托管策略

  {
版本： 2012-10-17，
声明：[
 {
效果：允许，
动作：[日志：*]，
资源： arn：aws：logs：*：*：* 
}， 
 {
 Effect：允许，
 Action：[ s3：GetObject， s3：PutObject]，
 Resource： arn： aws：s3 ::: * 
} 
] 
} 
  

以下几行：

 -版本：'2012-10-17'＃政策文件
声明：
-效果：允许
操作：
-s3：GetObject 
-s3：GetObjectACL 
资源：'arn：aws：s3 ::: my-bucket / *'
  

指定要包含在lambda执行角色中的下一个策略。

在此示例中我们是否重写了AWSLambdaExecute的策略定义？

否，我们将多个策略添加到lambda执行角色，其中之一是AWS托管策略，一个是我们自己的自定义策略。因此，lambda函数将在两个函数中都定义权限。或更准确地说，将对这些策略进行合并，并且lambda函数将具有由该联合定义的权限，这意味着，如果其中一个策略允许lambda函数执行某项操作，而另一个策略拒绝同一件事，则结果将是该操作将被拒绝。

Policy definition of AWS managed policy(AWSLambdaExecute) is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

---

But the AWS_documentation gives a sample serverless function using the same policy name AWSLambdaExecute, as shown below:

Type: AWS::Serverless::Function
  Properties:
    Handler: index.js
    Runtime: nodejs8.10
    CodeUri: 's3://my-code-bucket/my-function.zip'
    Description: Creates thumbnails of uploaded images
    MemorySize: 1024
    Timeout: 15
    Policies:
     - AWSLambdaExecute # Managed Policy
     - Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

---

that does not match with the above definition.

Edit:

Below is the sample function's execution role... I do not see AWS mananged execution role names(such as AWSLambdaBasicExecutionRole). Because my understanding is, AWSLambdaBasicExecutionRole role should be assigned to Lambda, by default

---

Are we overriding the policy definition of AWSLambdaExecute in this example?

解决方案

When you are specifying policies, you are basically building an execution role your lambda function.

Policies is a list of policies because role can include multiple policies in it.

This line

- AWSLambdaExecute # Managed Policy

states that the lambda function that you are creating should include this AWS managed policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
} 

Following lines:

- Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

are specifying next policy that you want to include in your lambda execution role.

Are we overriding the policy definition of AWSLambdaExecute in this example?

No, we are adding multiple policies to lambda execution role, one of them is AWS managed policy and one is our own custom policy. So the lambda function will have permissions defined in both of them. Or more precisely, union of those policies will be made and lambda function will have permissions defined by that union, meaning that if one of the policies allows lambda function to do something and the other denies the same thing, the result will be that the action will be denied.

这篇关于无法获取SAM模板资源中策略定义的语法（无服务器功能）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！