上下文:AWS,S3, Lambda ,批量。
我有一个在S3 Bucket上传文件时触发的lambda。我希望lambda提交批处理作业。
(编辑:在S3和Lambda之间一切正常。问题出在Lambda和Batch之间。)
问:为了能够提交批处理作业,我必须为 lambda 提供什么角色?
我的lambda获得AccessDeniedException并且在以下情况下无法提交作业:
const params = {
jobDefinition: BATCH_JOB_DEFINITION,
jobName: BATCH_JOB_NAME,
jobQueue: BATCH_JOB_QUEUE,
};
Batch.submitJob(params).promise() .then .......
答案 0 :(得分:9)
这似乎是我正在寻找的角色:batch:SubmitJob。使用此角色,lambda能够提交作业。
iamRoleStatements:
- Effect: Allow
Action:
- batch:SubmitJob
Resource: "arn:aws:batch:*:*:*"
答案 1 :(得分:2)
您可以创建类似AWS Batch Managed Policy,
以下政策允许管理员访问权限,您可以根据需要进行修改:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"batch:*",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs",
"ecs:DescribeClusters",
"ecs:Describe*",
"ecs:List*",
"logs:Describe*",
"logs:Get*",
"logs:TestMetricFilter",
"logs:FilterLogEvents",
"iam:ListInstanceProfiles",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": [
"arn:aws:iam::*:role/AWSBatchServiceRole",
"arn:aws:iam::*:role/ecsInstanceRole",
"arn:aws:iam::*:role/iaws-ec2-spot-fleet-role",
"arn:aws:iam::*:role/aws-ec2-spot-fleet-role",
"arn:aws:iam::*:role/AWSBatchJobRole*"
]
}
]
}
将策略附加到lambda并再次尝试,请参阅AWS Documentation