Terraform-如何附加IAM角色以将Lambda调用到API网关

时间:2018-08-13 00:58:27

标签: aws-lambda aws-api-gateway terraform terraform-provider-aws

问题

如何将带有lambda调用的可承担角色附加到API Gateway API或所有方法?

Create an API Gateway API for AWS Lambda Functions告知要附加一个IAM策略以调用Lambda:

  

这意味着,至少必须将以下IAM策略附加到API网关的IAM角色,才能采用该策略。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "*"
        }
    ]
}
  

API网关角色是具有以下受信任关系的IAM角色:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

研究

看起来lambda_permission可以按方法附加,但不确定是否有一种方法可以调用任何方法“ *”。

更新

Api Gateway can't invoke Lambda function讲述了一种从UI按方法/功能进行附加的方法。

enter image description here

enter image description here

2 个答案:

答案 0 :(得分:0)

Specify Lambda permissions for API Gateway REST API中一样,将source_arn设置为API的execution_arn。

resource "aws_lambda_permission" "apigw" {
  statement_id  = "AllowAPIGatewayInvoke"
  action        = "lambda:InvokeFunction"
  function_name = "${aws_lambda_function.example.arn}"
  principal     = "apigateway.amazonaws.com"

  #--------------------------------------------------------------------------------
  # Per deployment
  #--------------------------------------------------------------------------------
  # The /*/*  grants access from any method on any resource within the deployment.
  # source_arn = "${aws_api_gateway_deployment.test.execution_arn}/*/*"

  #--------------------------------------------------------------------------------
  # Per API
  #--------------------------------------------------------------------------------
  # The /*/*/* part allows invocation from any stage, method and resource path
  # within API Gateway REST API.
  source_arn    = "${aws_api_gateway_rest_api.example.execution_arn}/*/*/*"
}

答案 1 :(得分:0)

resource "aws_api_gateway_rest_api" "api_gw" {
      name = "your-api-gw-name"
      description = "your api gateway description"
}

data "aws_caller_identity" "current" {}

resource "aws_lambda_permission" "lambda_permission" {
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"

  #your lambda function ARN
  function_name = "arn:aws:lambda:${var.aws_region}:${data.aws_caller_identity.current.account_id}:function:lambda-function-name"   
  principal     = "apigateway.amazonaws.com"
  source_arn = "arn:aws:execute-api:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.api_gw.id}/*/POST/"
}

注释:- variable.tf 文件中使用区域值声明 aws_region 变量。

相关问题
最新问题