我创建了一个小脚本来与AWS交互,从而更新安全组和EC2实例。该脚本在我的机器上可以正常工作,但是在AWS Lambda控制台上对其进行测试时遇到了麻烦。
我正在使用无服务器将lambda函数部署到Amazon Web服务。我还为此新的lambda函数创建了IAM角色。
我遇到的错误是(InvalidPermission.NotFound)错误。完整的错误堆栈如下所示。
错误:
An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.: ClientError
Traceback (most recent call last):
File "/var/task/ipm.py", line 205, in handler
main()
File "/var/task/ipm.py", line 197, in main
sg_ips_remove(to_remove, state_sg, state_ping)
File "/var/task/ipm.py", line 140, in sg_ips_remove
update_security_group("revoke", sg_id, sg_ips, state_ping) # run script to authorize/revoke ip access
File "/var/task/ipm.py", line 53, in update_security_group
sg.update_sg_traffic(sg_rules=obj, sg_id=group_id, update_type=update_type)
File "/var/task/sg.py", line 77, in update_sg_traffic
ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
File "/var/task/botocore/client.py", line 320, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/task/botocore/client.py", line 623, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.
此错误在以下代码段上发生。再次,此代码在我的机器上运行正常,但在lambda函数测试期间引发了错误。
def update_sg_traffic(sg_id, sg_rules, update_type="authorize"):
""" Update the inbound traffic associated to a SG. It is possible to add or remove IPs from the SG.
"""
assert update_type in ["authorize", "revoke"]
ec2 = boto3.client('ec2')
if update_type == "authorize":
ec2.authorize_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
else:
ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
我发现此错误很奇怪,因为它抱怨规则RevokeSecurityGroupIngress,该规则已添加到serverless.yaml文件上指定的IAM角色中,如下所示。
service: ${self:custom.resourcePrefix}-pingdom-updater
custom:
resourcePrefix: ${self:provider.stage}use1
provider:
stage: ${opt:stage, 's'}
name: aws
runtime: python3.6
memorySize: 128
iamRoleStatements:
- Effect: Allow
Action:
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateSecurityGroup
- ec2:DeleteSecurityGroup
- ec2:DescribeInstanceAttribute
- ec2:DescribeInstanceStatus
- ec2:DescribeInstances
- ec2:DescribeNetworkAcls
- ec2:DescribeSecurityGroups
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
Resource: "*"
functions:
pingdomUpdater:
handler: ipm.handler
events:
- schedule:
name: ${self:service}-schedule
description: ""
rate: rate(1 day)
plugins:
- serverless-python-requirements
serverless.yaml
有人知道我为什么遇到此错误吗? 感谢您能提供的任何帮助。谢谢。