我正按照https://github.com/alexa/skill-sample-nodejs-fact中的说明尝试建立一个事实技能。
克隆存储库,初始化ASK CLI并安装了npm依赖项。
然后我尝试通过运行命令ask deploy来一步部署技能和lambda函数。但它显示AccessDeniedException。请帮我解决问题
-------------------- Create Skill Project --------------------
Profile for the deployment: [default] Skill Id: amzn1.ask.skill.1234ab-1234
Skill deployment finished. Model deployment finished. Create Lambda error. AccessDeniedException: User: arn:aws:iam::12345678:user/ASK_CLI_USER is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:us-east-1:12345678:function:what_name_you_want_to_name_the_lambda
请注意:
按照以下链接中的说明安装并设置ASK CLI: https://developer.amazon.com/docs/smapi/quick-start-alexa-skills-kit-command-line-interface.html
按照以下链接中的说明为Amazon Web Services(AWS)帐户CLI设置凭据: https://developer.amazon.com/docs/smapi/set-up-credentials-for-an-amazon-web-services-account.html
创建了一个用户ASK_CLI_USER并创建了一个具有权限的新策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:GetRole",
"iam:AttachRolePolicy",
"iam:PassRole"
],
"Resource": "arn:aws:iam:::role/ask-"
},
{
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateFunction",
"lambda:GetFunction",
"lambda:UpdateFunctionCode",
"lambda:ListFunctions"
],
"Resource": "arn:aws:lambda:::function:ask-"
},
{
"Effect": "Allow",
"Action": [
"logs:FilterLogEvents",
"logs:getLogEvents",
"logs:describeLogStreams"
],
"Resource": "arn:aws:logs:::log-group:/aws/lambda/ask-"
}
]
}
答案 0 :(得分:1)
您应该限制的资源是"arn:aws:lambda:*:*:function:ask-*"。看起来你错过了星号。
答案 1 :(得分:0)
说得很清楚:
AccessDeniedException:User:arn:aws:iam :: 12345 678:user / ASK_CLI_USER无权执行: lambda:资源上的CreateFunction: ARN:AWS:拉姆达:US-东-1:12345678:功能:what_name_you_want_to_name_the_lambda
进入您的控制台并向用户ASK_CLI_USER