以编程方式禁用/启用Lambda SNS触发器 [英] Disable/Enable Lambda SNS Trigger Programmatically
问题描述
我需要以编程方式禁用Lambda的SNS触发器,但是,我似乎无法这样做.我希望它在此功能的AWS Lambda控制台中显示已禁用":
I need to programmatically disable a lambda's SNS trigger, however, I seem to be unable to do so. I want this to show "Disabled" in the AWS Lambda console for the function:
这是我尝试过的代码:
function updateEndpoints(endpoints, enable) {
const promises = [];
endpoints.forEach((endpoint) => {
console.log(`${enable ? 'Enabling' : 'Disabling'} Endpoint: ${endpoint}`);
promises.push(
SNS.setEndpointAttributes({
EndpointArn: endpoint,
Attributes: {
Enabled: enable ? 'True' : 'False',
},
}).promise()
.catch((e) => {
console.error(`Error ${enable ? 'Enabling' : 'Disabling'} Endpoint: ${endpoint}`);
console.error(e);
}));
});
return Promise.all(promises);
}
端点ARN可以通过类似字符串的方式正确传入(用正确的值代替下面的<>):
The endpoint ARN is passed in correctly with a string like (with correct values in place of the <> below):
-
arn:aws:lambda:<region>:<accountId>:function:<functionName>
-
这会为我尝试启用或禁用的每个端点从AWS产生一个错误:
This produces an error from AWS for each endpoint I try to enable or disable:
-
InvalidParameter: Invalid parameter: EndpointArn Reason: Vendor lambda is not of SNS
-
是否无法通过SNS禁用Lambda的触发/端点?人们将如何去做呢?我希望不必取消订阅/订阅,因为这会使订阅对象超出CloudFormation的范围(对吗?).但是,根据文档,我查看了updateEventSourceMappings,该文档仅适用于DynamoDB流,Kinesis流和SQS,而不适用于SNS.
Is it not possible to disable the trigger/endpoint for a lambda via SNS? How would one go about doing this? I would prefer not to have to unsubscribe/subscribe as this would take the subscription objects out of CloudFormation's scope (correct?). I looked at updateEventSourceMappings, however, per the documentation, that only works with DynamoDB streams, Kinesis Streams, and SQS -- not SNS.
推荐答案
我找到了(100%)正确的方法.虽然可以使用@John Rotenstein的答案,但这并不完全正确,但仍然可以使用.
I found the (100%) correct way to do this. While the answer from @John Rotenstein could be used, it's not quite right, but should still work.
我发现当您单击切换开关时,lambda的策略实际上已更新:
I found when you click the toggle, the lambda's policy is actually updated:
启用:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "my-lambda-1552674933742",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:1234567890:function:my-lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:sns:us-west-2:1234567890:my-lambda"
}
}
}
]
}
已禁用:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "my-lambda-1552674933742",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "lambda:DisableInvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:1234567890:function:my-lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:sns:us-west-2:1234567890:my-lambda"
}
}
}
]
}
注意操作是lambda:InvokeFunction与lambda:DisableInvokeFunction.
我执行此操作的过程如下: -Lambda.listFunctions -对于每个函数,Lambda.removePermission -对于每个函数,Lambda.addPermission
My process to do this is as follows: - Lambda.listFunctions - for each function, Lambda.removePermission - for each function, Lambda.addPermission
注意:
- Lambda api的默认安全限制是每个区域每个帐户100个并发执行.
- 您只能在AddPermission和AddLayerVersionPermission API操作范围内更新Lambda资源的基于资源的策略.您不能在JSON中为Lambda资源编写策略,也不能使用无法映射到这些操作的参数的条件. 在此处查看文档
此外,您可以使用Lambda.getPolicy查看lambda的策略以确保已更新.
Also, you can use Lambda.getPolicy to see the policy of the lambda to ensure it is updated.
这篇关于以编程方式禁用/启用Lambda SNS触发器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
