授予AWS Lambda列出所有SNS主题的权限

Question

我有一个cloudformation模板来创建一个lambda函数和一个SNS主题。 lambda函数执行一些处理并将结果发布到SNS主题。

要获取SNS主题的ARN，我正在使用boto3.client('sns').list_topics()函数，然后搜索我在模板中设置的SNS主题名称。

但是调用list_topics() API会给我以下错误：

An error occurred (AuthorizationError) when calling the ListTopics operation: User: arn:aws:sts::136732452473:assumed-role/test/severless-btc-update-PriceUpdateFunction-B38KNZMCBGB is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:eu-west-1:136732452473:*

如何在cloudformation模板YAML文件中为我的lambda资源添加ListTopics权限？

这是我的cloudformation.yaml文件：

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Bitcoin daily update


Parameters:
  PhoneNumber:
    Type: String
    Description: The phone number recipient of the update, in E.164 (e.g. +919876123456) format.
  UTCHour:
    Type: String
    Default: 3
    Description: The hour at which to send the update, in the UTC time zone.

Resources:
  PriceUpdateFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: main.lambda_handler
      Runtime: python3.6
      Timeout: 5
      CodeUri: main.py
      Environment:
        Variables:
          PHONE_NUMBER: !Ref PhoneNumber
      Events:
        ScheduledEvent:
          Type: Schedule
          Properties:
            Schedule: !Join [' ', ['cron(0', !Ref UTCHour, '* * ? *)']]
      Policies:
        - SNSPublishMessagePolicy:
          TopicName: !GetAtt SNSTopic.TopicName
  SNSTopic:
    Type: "AWS::SNS::Topic"
    Properties:
      TopicName: "sendSMS"
      DisplayName: "BitcoinPriceTopic"
      Subscription:
        -
          Endpoint: !Ref PhoneNumber
          Protocol: "sms"

Answer 1

您需要定义Lambda执行角色并为该函数分配适当的权限。应该有Role AWS::Serverless::Function属性Role: !GetAtt LambdaExecutionRole.Arn

LambdaExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: {Service: [lambda.amazonaws.com]} Action: ['sts:AssumeRole'] Path: / ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/service-role/AWSLambdaRole Policies: - PolicyName: SNSPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - "SNS:ListTopic" Resource: ['*']

然后在模板中创建引用的角色：

Action

根据需要调整AggregateException ex = task.Exception as AggregateException; if (ex != null) { Firebase.FirebaseException fbEx = null; foreach (Exception e in ex.InnerExceptions) { fbEx = e as Firebase.FirebaseException; if (fbEx != null) break; } if (fbEx != null) { Debug.LogError("Encountered a FirebaseException:" + fbEx.Message); } } 部分中的权限。