我的lambda函数存在问题,该函数在泛型vpc中运行。 lambda函数基本上查询dynamodb表并发出从冰川中检索s3对象的请求。当我没有在lambda中指定VPC时它运行正常,但是当我这样做时它给了我错误:
"errorMessage": "User: arn:aws:sts::123456789012:assumed-role/NLM-INT-draps-lambda-role/retrieval-1 is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:123456789012:table/S3_log/index/ContentType-LastChecked-index"
角色权限如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:RestoreObject",
"s3:ListObjects",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::nlm-qa-int-draps-bucket",
"arn:aws:s3:::nlm-qa-int-draps-bucket/*"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem",
"dynamodb:UpdateTable"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:123456789012:table/S3_log",
"arn:aws:dynamodb:us-east-1:123456789012:table/S3_log/index/item_status-index",
"arn:aws:dynamodb:us-east-1:123456789012:table/S3_log/index/ContentType-LastChecked-index"
],
"Effect": "Allow"
},
{
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1:123456789012:function:nlm-int-draps-us-east-1-upload",
"arn:aws:lambda:us-east-1::function:retrieval-1",
"arn:aws:lambda:us-east-1:123456789012:function:final_lambda"
],
"Effect": "Allow"
}
]
}
该角色还有一个信任关系策略,允许lambda在代表上述角色的情况下通过cloudevent自动运行:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我还应该注意,即使我提供lambda AdministratorAccess角色权限,如果我在VPC中运行lambda,它仍然会失败,这使我相信问题可能与权限无关。
在另一个lambda函数中,它也运行在由S3 PUTS触发的同一个VPC内写入dynamodb我必须为vpc创建一个dynamodb端点来访问dynamodb,所以我认为这个问题可能是相关的。感谢任何帮助,谢谢!
答案 0 :(得分:2)
鉴于您的情况描述,似乎VPC端点配置导致此Lambda函数出现一些问题。您需要诊断原因或只是删除VPC端点。
要授予对链接到VPC的AWS Lambda函数的Internet访问权限(例如,访问DynamoDB端点),您将需要以下其中一项:
这样可以避免为DynamoDB配置VPC端点。