我正在尝试使用AWS sdk例如在AWS stepfunction中创建状态机,
stepfunctions.createStateMachine(params, function(err, data)...
我在AWS控制台中创建了一个lambda,并添加了用于创建状态机的代码。我还为角色提供了执行此lambda和创建状态机的权限。我也使用Simulator验证了“角色权限”,这很好(允许)。但是当我执行lambda时,我得到了AcccessDeniedException。
errorMessage": "User: arn:aws:sts::555555555:assumed-role/SFN_API_role/SFAPITest is not authorized to perform: states:CreateStateMachine on resource: arn:aws:states:us-east-1:555555555:stateMachine:*",
"errorType": "AccessDeniedException
“ SFN_API_role”是角色,“ SFAPITest”是lambda。 这是定义的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:DeleteStateMachine",
"states:ListExecutions"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StopExecution"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeActivity",
"states:DeleteActivity",
"states:GetActivityTask",
"states:SendTaskSuccess",
"states:SendTaskFailure",
"states:SendTaskHeartbeat"
],
"Resource": [
"*"
]
}
]
}
任何指针都值得赞赏!
答案 0 :(得分:0)
您使用的是 "Resource": ["*"] 而不是 "Resource": "*"。只需将政策的第一部分更改为以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": "*"
},
...