调用AssumeRole操作时访问被拒绝

时间:2018-09-25 22:57:11

标签: amazon-web-services aws-lambda amazon-cloudformation amazon-iam

我有一个cloudformation模板,该模板可创建lambda函数以及该lambda函数的角色。我尝试在lambda函数中扮演角色,但不断收到错误消息:

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

我缺少一个步骤吗?不知道为什么我没有权限担任这个角色。我假设如果我得到的错误是访问被拒绝而不是某些执行错误,我就会缺少某种权限。

Cloudformation代码段:

  "LambdaRoleCustomResource": {
      "Type": "AWS::IAM::Role",
      "Condition": "CreateWebACL",
      "DependsOn": "WAFWebACL",
      "Properties": {
        "RoleName": {
          "Fn::Join": ["-", [{
            "Ref": "AWS::StackName"
          }, "Custom-Resource"]]
        },
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [{
            "Effect": "Allow",
            "Principal": {
              "Service": ["lambda.amazonaws.com"]
            },
            "Action": ["sts:AssumeRole"]
          }]
        },
        "Path": "/",
        "Policies": [{
          "PolicyName": "S3Access",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [{
              "Effect": "Allow",
              "Action": [
                "s3:CreateBucket",
                "s3:GetBucketLocation",
                "s3:GetBucketNotification",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutBucketNotification"
              ],
              "Resource": {
                "Fn::Join": ["", ["arn:aws:s3:::", {
                  "Ref": "AccessLogBucket"
                }]]
              }
            }]
          }
        }

Lambda函数代码段:

sts_client = boto3.client('sts')
        sts_credentials = sts_client.assume_role(RoleArn='arn:aws:iam::XXXXXXXXX:role/portal-cloudfront-waf-Custom-Resource', RoleSessionName='custom-resource-cf-session')
        sts_credentials = sts_credentials['Credentials']
        cf = boto3.client('cloudformation', aws_access_key_id=sts_credentials['AccessKeyId'], aws_secret_access_key=sts_credentials['SecretAccessKey'], aws_session_token=sts_credentials['SessionToken'])
        stack_name = event['ResourceProperties']['StackName']
        cf_desc = cf.describe_stacks(StackName=stack_name)

        global waf
            sts_client = boto3.client('sts')
            sts_credentials = sts_client.assume_role(RoleArn='arn:aws:iam::XXXXXXXX:role/portal-cloudfront-waf-Custom-Resource', RoleSessionName='custom-resource-waf-session')
            sts_credentials = sts_credentials['Credentials']
            s3 = boto3.client('waf', aws_access_key_id=sts_credentials['AccessKeyId'], aws_secret_access_key=sts_credentials['SecretAccessKey'], aws_session_token=sts_credentials['SessionToken'])
            waf = boto3.client('waf')

1 个答案:

答案 0 :(得分:3)

您的Lambda函数将自动使用与该函数所附的角色相关联的权限。无需创建凭据。

因此,只需使用:

cf = boto3.client('cloudformation')
s3 = boto3.client('waf')
相关问题
最新问题