Lambda-如何创建客户管理的政策? [英] Lambda - How to create customer managed policy?

问题描述

IAM策略可以通过两种方式创建:

IAM policies can be created in two ways:

• 托管策略(较新的方式)

• Managed policies(newer way)

• AWS托管策略
• 客户管理的政策

内联策略(较旧的方式)

Inline policies(older way)

下面的SAM模板正在创建内联策略:

Below SAM template is creating inline policy:

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function 
    Properties:
      CodeUri: hello-world/
      Handler: app.LambdaHandler
      Runtime: nodejs8.10
      Policies:
      - Statement:
        - Sid: AccessToS3Policy
          Effect: Allow
          Action:
          - s3:GetObject
          - s3:GetObjectACL
          Resource: 'arn:aws:s3:::some-bucket/*'

---

在最终的角色中，如下所示:

---

in the resultant role, as shown below:

{
   "roleName": "somestack-HelloWorldFunctionRole-AAAAAAAA",
   "policies": [
   {
      "document": {
        "Statement": [
          {
            "Action": [
              "s3:GetObject",
              "s3:GetObjectACL"
            ],
            "Resource": "arn:aws:s3:::some-bucket/*",
            "Effect": "Allow",
            "Sid": "AccessToS3Policy"
          }
        ]
      },
      "name": "HelloWorldFunctionRolePolicy0",
      "type": "inline"
    },
    .....
   ]
 }

---

对于Lambda函数，

---

In case of Lambda function,

1)如何创建客户管理的政策?

1) How to create Customer managed policy?

2)内联策略与客户托管策略有何不同?

2) How inline policy different from Customer managed policy?

推荐答案

如果在SAM模板中使用此语法

If you are using this syntax in your SAM template

Policies:
      - Statement:
        - Sid: AccessToS3Policy
          Effect: Allow
          Action:
          - s3:GetObject
          - s3:GetObjectACL
          Resource: 'arn:aws:s3:::some-bucket/*'

它将自动创建内联策略.如果要创建客户托管策略而非内联策略，则需要在模板中将策略定义为单独的Resource，并在policies中引用它.或者，您可以在模板之外创建角色(例如，通过AWS控制台)，然后以与引用AWS托管策略相同的方式引用该策略.

It will automatically create inline policy. If you want to create customer managed policy instead of inline policy then you need to define the policy as a separate Resource in you template and reference it in policies. Or you can create the role outside of the template (e.g. via AWS console) and reference that policy, in the same way you would reference AWS managed policy.

内联策略与客户托管策略有何不同?

我真的不会说内联策略是做事的老方法.内联策略和客户托管策略之间的唯一区别是，内联策略不能重复使用(您不能将内联策略分配给两个或多个实体).但这通常很方便，如果您需要将来不打算重复使用的特定策略.

I wouldn't really say that inline policy is the old way of doing things. The only difference between inline policy and customer managed policy is that inline policy cannot be reused (you cannot assign inline policy to two or more entities). But this can often be handy if you need a specific policy that you are not planning to reuse in future.

这篇关于Lambda-如何创建客户管理的政策?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！