Lambda 函数所承担的角色的 ARN 是多少? [英] What is the ARN of an assumed role assumed by a Lambda function?
问题描述
我正在尝试使用我的存储桶策略中的 NotPrincipal 元素来明确拒绝对我的 s3 存储桶的访问,同时将访问该存储桶的特定 lambda 列入白名单.我在 NotPrincipal 元素中为 lambda 的角色指定了角色 ARN 并承担了角色 ARN:
"arn:aws:iam::{Account ID}:role/service-role/{Lambda 角色名称}",
"arn:aws:sts::{Account ID}:assumed-role/{Lambda 角色名称}/{角色会话名称}"
此文档解释了代入角色 ARN 的结构:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
我似乎无法让假定的角色 ARN 正确.存储桶策略有效,但似乎我可以为角色会话名称(假定角色 ARN 的最后一部分)提供任何内容,并且 ARN 被认为是有效的.当 Lambda 或其他服务承担服务角色时,AWS 将此角色会话名称设置为什么?是否可以列出角色的活动会话或列出假定的角色 ARN?我目前使用 Lambda 函数名称作为角色会话名称,但这不起作用(Lambda 仍然无法访问存储桶).
由于我无法在 NotPrincipal 元素中使用通配符,因此一旦 Lambda 承担角色,我就需要它的完整承担角色 ARN.
更新:
我尝试使用两个条件来拒绝 ARN 与 Lambda 角色或代入角色的 ARN 不匹配的所有请求.Lambda 角色仍然被拒绝使用 IAM 策略模拟器写入 S3.这是政策:
<代码>{"版本": "2012-10-17",陈述": [{"Sid": "WhitelistRegistryAPILambdaRole","Effect": "拒绝",主要的": "*",行动": ["s3:PutObject","s3:删除对象","s3:DeleteObjectVersion","s3:GetObjectVersion",s3:获取对象"],资源":["arn:aws:s3:::{bucket name}","arn:aws:s3:::{bucket name}/*"],健康)状况": {ArnNotLike":{"AWS:SourceARN": "arn:aws:iam::{account ID}:role/{lambda 角色名称}"}}},{"Sid": "WhitelistRegistryAPILambdaAssumedRole","Effect": "拒绝",主要的": "*",行动": ["s3:PutObject","s3:删除对象","s3:DeleteObjectVersion","s3:GetObjectVersion",s3:获取对象"],资源":["arn:aws:s3:::{bucket name}","arn:aws:s3:::{bucket name}/*"],健康)状况": {ArnNotLike":{"AWS:SourceARN": "arn:aws:sts::{account ID}:assumed-role/{lambda 角色名称}/{lambda 函数名称}"}}}]}
TL;DR:
Lambda 函数的假定角色 ARN 构造如下:
arn:aws:sts::{AccountID}:assumed-role/{RoleName}/{FunctionName}详情:
所以角色会话名称"在您的情况下,是 lambda 函数名称.您可以通过尝试从您没有权限的 Lambda(例如 DynamoDB ListTables)调用 API 来轻松验证这一点.回调中的错误消息还将包含假定的角色 ARN(请注意,某些服务,例如 S3,在操作被拒绝时不会提供详细的错误消息.DynamoDB、Lambda 和大多数最近启动的服务将提供.)
我不确定您为什么需要 NotPrincipal,因为可能有更好的方法来处理您描述的场景:) 更多信息将有助于提供更准确的答案.
来自 AWS IAM 文档:<块引用>
重要:很少有场景需要使用 NotPrincipal,我们建议您先探索其他授权选项决定使用 NotPrincipal.
I am trying to use the NotPrincipal element in my bucket policy to explicitly deny access to my s3 bucket while whitelisting a particular lambda that accesses the bucket. I specified the role ARN and assumed role ARN for the lambda's role in the NotPrincipal element:
"arn:aws:iam::{Account ID}:role/service-role/{Lambda role name}",
"arn:aws:sts::{Account ID}:assumed-role/{Lambda role name}/{role session name}"
This doc explains the structure of the assumed role ARNs: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
I can't seem to get the assumed role ARN correct. The bucket policy is valid, but it seems I can provide anything for the role session name (the last part of the assumed-role ARN), and the ARN is considered valid. What does AWS set this role session name to when Lambda or other service assumes a service role? Is it possible to list active sessions for a role or list the assumed-role ARNs? I am currently using the Lambda function name for the role session name, but this is not working (the Lambda still cannot access the bucket).
Since I can't use wildcards in the NotPrincipal element, I need the full assumed-role ARN of the Lambda once it assumes the role.
UPDATE:
I tried using two conditions to deny all requests where the ARN does not match the ARN of the Lambda role or assumed role. The Lambda role is still denied from writing to S3 using the IAM policy simulator. Here is the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WhitelistRegistryAPILambdaRole",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{bucket name}",
"arn:aws:s3:::{bucket name}/*"
],
"Condition": {
"ArnNotLike": {
"AWS:SourceARN": "arn:aws:iam::{account ID}:role/{lambda role name}"
}
}
},
{
"Sid": "WhitelistRegistryAPILambdaAssumedRole",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{bucket name}",
"arn:aws:s3:::{bucket name}/*"
],
"Condition": {
"ArnNotLike": {
"AWS:SourceARN": "arn:aws:sts::{account ID}:assumed-role/{lambda role name}/{lambda function name}"
}
}
}
]
}
TL;DR:
The Assumed Role ARN of a Lambda Function is constructed as this:
arn:aws:sts::{AccountID}:assumed-role/{RoleName}/{FunctionName}
Details:
So the "role session name" is, in your case, the lambda function name. You can easily verify this, by trying to call an API from your Lambda (DynamoDB ListTables for example) for which you do not have permissions. The error message in the callback will also contain the assumed role ARN (note that some service such as S3 do not provide detailed error messages when an operation is denied. DynamoDB, Lambda, and most of the recently launched services, will.)
I'm not sure to understand why you need a NotPrincipal, as probably there is a better way to handle the scenario you described :) More info would be useful to provide a more precise answer.
From the AWS IAM Documentation:
Important: Very few scenarios require the use of NotPrincipal, and we recommend that you explore other authorization options before you decide to use NotPrincipal.
这篇关于Lambda 函数所承担的角色的 ARN 是多少?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
