部署时出现AWS Lambda和IAM错误:Lambda无法承担为该功能定义的角色 [英] AWS Lambda and IAM error on deploy: The role defined for the function cannot be assumed by Lambda
问题描述
在我的AWS项目中,我使用无服务器框架来部署lambda函数和IAM角色.
In my AWS project, I use the serverless framework to deploy lambda function and IAM roles.
因此,我创建了6个lambda函数,所有这些函数都使用以下相同的IAM角色:
So I created 6 lambda functions, all using the same IAM Role below:
functions:
auto-delete-identity:
handler: src/auto-delete-identity.handler
role: arn:aws:iam::123456789012:role/lambdaIAMRole
name: auto-delete-identity
auto-move-to-user-group:
handler: src/auto-move-to-user-group.handler
role: arn:aws:iam::123456789012:role/lambdaIAMRole
name: auto-move-to-user-group
auto-validate-user-creation:
handler: src/auto-validate-user-creation.handler
role: arn:aws:iam::123456789012:role/lambdaIAMRole
name: auto-validate-user-creation
auto-validation-user-email-modification:
handler: src/auto-validation-user-email-modification.handler
role: arn:aws:iam::123456789012:role/lambdaIAMRole
name: auto-validation-user-email-modification
hello-demo:
handler: src/hello-demo.handler
role: arn:aws:iam::123456789012:role/lambdaIAMRole
name: hello-demo
reset-user-password:
handler: src/reset-user-password.handler
role: arn:aws:iam::123456789012:role/lambdaIAMRole
name: reset-user-password
resources:
Resources:
lambdaIAMRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: lambdaIAMRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Policies:
- PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Effect: "Allow"
Resource:
- !Sub "arn:aws:logs:eu-central-1:123456789012:log-group:/aws/lambda/*:*"
PolicyName: "myLambdaPolicy"
当我使用无服务器部署命令进行部署时,有时会出现以下错误:
When I deploy using the serverless deploy command, I sometimes got the following error:
An error occurred: HelloDashdemoLambdaFunction - The role defined for the function cannot be assumed by Lambda. (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 4099072a-809d-4f1c-b83e-7f4f5dd5170b).
这看起来像是一个随机错误,因为它并非每次都发生.另外,当它发生时,它并不总是在同一功能上发生.
It looks like a random bug, since it doesn’t occurs everytime. Also, when it occurs, it doesn’t always occurs on the same function.
我做错了吗?我该如何解决?
Did I do something wrong? How can I fix that?
感谢您的帮助.
推荐答案
我认为问题在于,在Lambda函数声明中,您将IAM角色称为 role:arn:aws:iam::123456789012:role/lambdaIAMRole .这是一个绝对 ARN,您将以此方式指示在serverless.yml模板的外部中创建和管理的IAM角色(或其他资源).
I think that the problem is that in your Lambda function declarations, you're referring to the IAM role as role: arn:aws:iam::123456789012:role/lambdaIAMRole. This is an absolute ARN and is how you would indicate an IAM role (or other resource) that was created and managed outside of your serverless.yml template.
对于您而言,最快的解决方法是将 role:arn:aws:iam :: 123456789012:role/lambdaIAMRole 替换为 role:lambdaIAMRole .后者指的是在模板内部中声明的AWS资源.
In your case, the quickest fix is to simply replace role: arn:aws:iam::123456789012:role/lambdaIAMRole with role: lambdaIAMRole. The latter refers to an AWS resource declared inside the template.
假设所有Lambda函数将具有相同的作用,一个更好的解决方案是完全删除您的 lambdaIAMRole 声明,然后删除所有 role:arn:aws:iam:Lambda函数中的:123456789012:role/lambdaIAMRole 属性.角色声明除了无服务器框架将为您隐式生成并分配给Lambda函数的默认IAM角色之外,没有添加任何内容.这是使框架有价值的一件事-它提供了良好的默认设置,以节省您的时间和精力.示例此处.
An even better fix, assuming that all of your Lambda functions will have the same role, is to remove your lambdaIAMRole declaration entirely and then remove all role: arn:aws:iam::123456789012:role/lambdaIAMRole properties from the Lambda functions. The role declaration adds nothing over the default IAM role that the Serverless Framework will implicitly generate for you and assign to the Lambda functions. This is one of the things that makes the framework valuable - it provides good defaults to save you the time and effort. Examples here.
这篇关于部署时出现AWS Lambda和IAM错误:Lambda无法承担为该功能定义的角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
