如何授予 API Gateway 权限以通过 CloudFormation 调用 lambda 函数? [英] How can I grant permission to API Gateway to invoke lambda functions through CloudFormation?

问题描述

我一直在网上寻找答案.

I've been all over the web searching for an answer to this.

从本质上讲，我们正在使用 Swagger 构建 API，它很棒而且效果很好，但是有一件事不起作用......当我们调用一个端点时，我们得到一个 500 错误(这不是一个我们提供的 500 错误，或者是来自 AWS 的错误).错误指出由于配置错误执行失败:Lambda 函数的权限无效"(https://youtu.be/H4LM_jw5zzs <- 这是来自另一个用户的视频，显示了我遇到的错误).

Essentially, we're spinning up an API using Swagger, which is awesome and works great, but one thing doesn't work... When we make a call to an Endpoint, we get a 500 error (it's not a 500 error that we're providing either it's one from AWS). The error states "Execution failed due to configuration error: Invalid permissions on Lambda function" (https://youtu.be/H4LM_jw5zzs <- This is a video, from another user, of the error I'm getting).

我已经找到了很多问题，并找到了答案......它涉及使用 AWS CLI，看起来有点像这样:

I've gone down many ratholes, and have found an answer... It involves using the AWS CLI and looks a bit like this:

aws lambda add-permission 
--function-name FUNCTION_NAME 
--statement-id STATEMENT_ID 
--action lambda:InvokeFunction 
--principal apigateway.amazonaws.com 
--source-arn "arn:aws:execute-api:us-east-1:ACCOUNT_ID:API_ID/*/METHOD/ENDPOINT"

这一切都很棒，但我们正在使用 CloudFormation 来启动一切，我们希望这能自动化.有没有更简单的方法来解决这个问题?CloudFormation 中是否有一些东西可以为我们提供所需的资源策略?

This is great and all, but we are using CloudFormation to spin up everything and we want this to be automated. Is there an easier way to go about this? Is there something in CloudFormation that will give us the resource policy that we need?

我在这方面遇到了一些困难，但我今天已经研究了几个小时，这对我们的 API 版本有点阻碍，因此我们将不胜感激.:)

I'm hitting a bit of a wall with this, but I've been working on it for a few hours today and it's a bit of a blocker for our API release, so any help would be much appreciated. :)

推荐答案

有一个 CloudFormation 解决方案可以解决这个问题.请参阅以下 CloudFormation 片段:

There is a CloudFormation solution to this problem. See the following CloudFormation snippet:

"Permission": {
    "Type": "AWS::Lambda::Permission",
    "Properties": {
        "FunctionName": { "Fn::GetAtt": [ "Lambda", "Arn" ] },
        "Action": "lambda:InvokeFunction",
        "Principal": "apigateway.amazonaws.com",
        "SourceArn": { "Fn::Join": [ "", [
            "arn:aws:execute-api:",
            { "Ref": "AWS::Region" }, ":",
            { "Ref": "AWS::AccountId" }, ":",
            { "Ref": "API" },
            "/*/*/*"
        ] ] }
    }
}

这将授予 API Gateway 权限以启动您的 Lambda 函数.此代码段中您需要更改的变量是 Lambda(第 4 行)和 API(第 11 行).

This grants API Gateway permissions to launch your Lambda function. Variables in this snippet you need to change are Lambda (line 4) and API (line 11).

这篇关于如何授予 API Gateway 权限以通过 CloudFormation 调用 lambda 函数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！