AWS CDK授予对堆栈外部资源的权限 [英] AWS CDK give permission to resources outside the stack

问题描述

我对AWS CDK相当陌生，并且对AWS没有太多经验.在我正在编写的CDK堆栈中，我必须授予使用其他CDK模板构建且已经在aws中的资源的权限.

I am fairly new to AWS CDK and haven't had a lot of experience with AWS. In my CDK stack that I am writing, I have to give permissions to resources that are built with other CDK templates and are already in aws.

可以说，我的堆栈A包含一个lambda，该lambda将被另一个服务X调用.该服务X需要具有lambda的调用权限.我可以从服务栈A代码中授予服务X许可，还是需要修改服务X堆栈?

Lets say, my stack A contains a lambda, the lambda will be invoked from another service X. The service X needs to have invoke permission of lambda. Can I give the service X permission from the Stack A code or will I need to modify the service X stack?

推荐答案

您不必修改服务X Stack.

You don't have to modify service X Stack.

以下示例假定您正在使用打字稿.

The examples below assume you are using typescript.

如果要允许整个服务(不建议使用)对lambda调用权限，则可以使用以下命令:

If you want to allow the whole service (not recommended) invoke permission on your lambda you can use following:

对于S3

yourfunction.grantInvoke(new ServicePrincipal('s3.amazonaws.com'));

对于SNS

yourfunction.grantInvoke(new ServicePrincipal('sns.amazonaws.com'));

但是我建议您指定要允许其调用lambda的特定资源ARN.例如，如果它是另一个lambda函数，则可以如下指定其Role ARN:

But I would recommend specifying the specific resource ARN that you want to allow to invoke your lambda. For example if its another lambda function you can specify its Role ARN like following:

yourfunction.grantInvoke(new ArnPrincipal('arn:aws:iam:region:account-id:role/role-name'));

正如阿米特(Amit)在他的答案中提到的那样，如果要指定更精细的权限，也可以使用addPermission.您可以使用addPermission甚至允许其他AWS账户中的资源调用您的lambda.

And as Amit mentioned in his answer you can also use addPermission if you want to specify more granular permissions. You can use addPermission to even allow resources in other AWS accounts to invoke your lambda.

这篇关于AWS CDK授予对堆栈外部资源的权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！