允许Cloud Watch调用无服务器Lambda [英] Allow serverless lambda to be called by cloud watch
问题描述
我的 serverless.yml 中有一个lambda函数.看起来像这样:
I have one lambda function within my serverless.yml. It looks somehow like this:
functions:
clean:
handler: app.run
events:
- schedule: rate(2 hours)
它运行良好,开箱即用每2小时就会调用一次lambda.当我在AWS Console中添加新的 rule 并将新创建的lambda设置为目标时,它也可以工作.AWS Console和无服务器框架均在后台策略上创建 events.amazonaws.com 服务可以调用此特定功能的策略.该政策看起来像这样:
It works pretty well and out of the box lambda gets called every 2 hours. When I add new rule in AWS Console and sets the newly created lambda as a target it also works. Both AWS Console and Serverless framework creates on the background policy that events.amazonaws.com service can invoke this specific function. The policy looks somehow like this:
{
"Sid":"AWSEvents_rule_name_test",
"Effect":"Allow",
"Principal":{
"Service":"events.amazonaws.com"
},
"Action":"lambda:InvokeFunction",
"Resource":"arn:aws:lambda:eu-central-1:<account_id>:function:<lambda_name>",
"Condition":{
"ArnLike":{
"AWS:SourceArn":"arn:aws:events:eu-central-1:<account_id>:rule/<rule_name>"
}
}
}
我想以编程方式定义 rule ,而无需维护这些权限.我要做的就是创建规则,然后按照文档 https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html .没有许可步骤,它将不起作用.我想在 serverless.yml 级别具有通用权限,该权限使lambda可以由任何现有或不存在的规则调用(因此我只关心规则和目标).我的意思是说:授予云监视权限,以使用我的帐户中定义的任何规则调用任何lambda函数".那将更多地提高我的功能的可用性.
I would like to define rules programatically and without the need to maintain those permissions. What I do is I create rule, then I create target similarly as described in docs https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/RunLambdaSchedule.html. Without the permission step it doesnt work. I would like to have generic permission on the serverless.yml level that enables the lambda to be called by any existing or not yet existing rules (so I care only about rules and targets). I mean something that would say:
"Grant cloud watch permission to invoke any lambda function with any rule defined on my account". That would increase usability of my function alot more.
是否可以定义通常由AWS控制台生成的相同策略(上面的代码),而在 serverless.yml 文件中更通用一些?
Is it possible to define same policy that gets usually generated by AWS Console (code above) but little more generic and within serverless.yml file?
更新:我最终尝试下面的例子.应该创建通用"规则:
Update: I end up trying example bellow. It was supposed to create "generic" rule:
functions:
clean:
handler: app.run
events:
- schedule: rate(2 hours)
resources:
Resources:
cleanLambdaPermission:
DependsOn:
# This is how serverless converts function name. Has to be update accordingly when lambda gets renamed.
- cleanLambdaFunction
Type: AWS::Lambda::Permission
Properties:
FunctionName:
"Fn::GetAtt": [ cleanLambdaFunction, Arn ]
Action: "lambda:InvokeFunction"
Principal: "events.amazonaws.com"
SourceArn: "arn:aws:events:eu-central-1:<account_id>:rule"
尽管它显示不起作用,并且我的lambda从未被以编程方式创建的规则调用直到,但我添加了显式的 SourceArn ,该映射将一个规则恰好映射到一个特定的函数.我还通过以下三个步骤以编程方式进行操作:1.创建规则.2.创建目标.3.创建权限.
Though it showed up it didnt work and my lambda never got called by programatically created rules until I added explicit SourceArn that maps exactly one rule to one single specific function. I am doing it also programatically in three steps: 1. Create rule. 2. Create target. 3. Create permission.
要删除,我需要按相反的顺序进行.我没有发现这(不允许通配符)是错误还是故意的行为.
For delete I need proceed in reverse order. I didnt find if this (not allowing wildcards) is bug or intentional behaviour.
推荐答案
是的,您可以使用通配符'*'使其具有通用性.
Yes, You can use wild cards '*' to make it generic.
这篇关于允许Cloud Watch调用无服务器Lambda的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
