在生成的Lambda角色定义中，什么是受信任实体? [英] What is trusted entities in resulting role definition of Lambda?

问题描述

下面是SAM模板，

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function 
Properties:
  CodeUri: hello-world/
  Handler: app.LambdaHandler
  Runtime: nodejs8.10
  Policies:
  - AWSLambdaExecute  

---

为此，以下是为Lambda函数创建的role(JSON):

---

for which, below is role(JSON) created for Lambda function:

{
  "roleName": "somestack-HelloWorldFunctionRole-AAAAAAAA",
  "policies": [
    {...}, # AWSLambdaExecute
    {...}, # AWSLambdaSQSQueueExecutionRole
    {....} # AWSLambdaBasicExecutionRole
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

---

此JSON中的trustedEntities是什么?

---

What is trustedEntities in this JSON?

推荐答案

受信任的实体是一组可以担当此角色的实体.如果通过SAM创建功能，则SAM创建的角色和帐户中的Lambda服务之间的信任关系将自动创建，这又意味着您的Lambda函数可以担任此角色.

Trusted entities is a set of entities which can assume this role. If you are creating the function via SAM, trust relationship between the role created by SAM and Lambda service in your account will be automatically created, which in turn means that your Lambda function can assume this role.

如果您想将此角色分配给EC2实例，将无法执行，因为您的角色默认情况下不信任EC2服务.您将需要修改信任关系并包括EC2服务.像这样:

If you want to assign this role to EC2 instance, you will not be able to because your role doesn't trust EC2 service by default. You would need to modify trust relationship and include EC2 service. Like this:

"trustedEntities": [
    "lambda.amazonaws.com",
    "ec2.amazonaws.com"
  ]

如果您要创建一个可以跨多个帐户承担的角色，可以将其他帐户指定为受信任的实体，这样其他帐户就可以承担该角色.

This is also useful if you want to create a role that can be assumed across accounts, you can specify other account as a trusted entity so that the other account(s) will be able to assume the role.

如果trustedEntities列表为空，则没有人能够担任此角色.

And if trustedEntities list is empty, nobody is able to assume the role.

这篇关于在生成的Lambda角色定义中，什么是受信任实体?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！