设置通过CloudFormation创建的事件流的访问角色

时间:2018-02-15 06:58:03

标签: aws-lambda amazon-cloudformation aws-iam

我尝试使用以下template.yml

添加dynamodb流 
MyFunc:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./myfunc
      Handler: main
      Runtime: go1.x
      Events:
        MyStream:
          Type: DynamoDB
          Properties:
            Stream: !GetAtt MyTable.StreamArn
            BatchSize: 1
            StartingPosition: LATEST
      Role:
        Fn::ImportValue:
          !Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]

但是,我在部署阶段遇到以下错误:

Please ensure the role can perform the GetRecords, GetShardIterator, DescribeStream, and ListStreams Actions on your stream in IAM.

尝试1

所以我尝试通过将以下策略添加到我的IAM,CodeStarWorker-myproject-CloudFormation来解决问题:

"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:DescribeStream",
"dynamodb:ListStreams",

那不起作用,仍然给我同样的错误

尝试2

尝试在template.yml中使用策略而不是角色

MyFunc:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ./myfunc
      Handler: main
      Runtime: go1.x
      Events:
        MyStream:
          Type: DynamoDB
          Properties:
            Stream: !GetAtt MyTable.StreamArn
            BatchSize: 1
            StartingPosition: LATEST
      Policies: 
        - IAMFullAccess
        - AWSLambdaFullAccess

但它给了我以下错误

API: iam:CreateRole User: arn:aws:sts::xxx:assumed-role/CodeStarWorker-xxx-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxx:role/awscodestar-xxx-lambda-MyFuncRole-1BO7G545IR5IC

尝试3

在template.yml中指定角色

LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow #allow lambda to assume this role
          Principal:
            Service:
            - lambda.amazonaws.com
          Action:
          - sts:AssumeRole
      Path: "/"
      Policies:
        - PolicyName: LambdaRolePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
            - Effect: Allow # allow to write logs to cloudwatch
              Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              Resource: arn:aws:logs:*:*:*
            - Effect: Allow # allow lambda to read from the event stream
              Action:
              - dynamodb:DescribeStream
              - dynamodb:GetRecords
              - dynamodb:GetShardIterator
              - dynamodb:ListStreams
              Resource: "*"

并将其分配给MyFunc 

Role:
  Fn::GetAtt: [ LambdaRole , Arn ]

但是,它也给了我同样的错误,表明我没有被授权执行iam:CreateRole

有任何帮助吗?

1 个答案:

答案 0 :(得分:0)

iam:CreateRole - 您需要此操作才能创建角色。用于运行Cloudformation模板的用户需要包含" CreateRole"行动。

相关问题
最新问题