适用于SSM的AWS SAM托管策略get参数

时间:2018-11-18 13:56:18

标签: amazon-web-services aws-lambda aws-serverless aws-sam-cli serverless-application-model

对于Lambda函数的DynamoDBReadPolicy权限,是否有任何类似于ssm:GetParameter*的托管策略?我正在使用aws-sam-cli并尝试遵循this,但是当我尝试使用sam local start-api来获取参数时,出现以下错误:

InvalidAction: The action or operation requested is invalid. Verify that the action is typed correctly.

以下是我尝试获取参数的代码段:

const ssm = new AWS.SSM();
const param = {
    Name: "param1",
    WithDecryption: true
};
const secret = await ssm.getParameter(param).promise();

相关模板部分如下。谢谢!

KeyAlias:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: 'param1Key'
      TargetKeyId: !Ref Key
Key:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Id: default
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action:
          - 'kms:Create*'
          - 'kms:Encrypt'
          - 'kms:Describe*'
          - 'kms:Enable*'
          - 'kms:List*'
          - 'kms:Put*'
          - 'kms:Update*'
          - 'kms:Revoke*'
          - 'kms:Disable*'
          - 'kms:Get*'
          - 'kms:Delete*'
          - 'kms:ScheduleKeyDeletion'
          - 'kms:CancelKeyDeletion'
          Resource: '*'
          Sid: Allow root account all permissions except to decrypt the key
        Version: 2012-10-17

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      # I think I need the ssm policy here

1 个答案:

答案 0 :(得分:2)

可用的SAM策略模板为{{3}}。这些策略模板均未授予任何SSM操作权限,因此,到目前为止,您无法使用SAM策略模板向AWS Lambda函数授予对SSM参数的访问权限。

作为解决方法,您可以手动将所需的策略声明内联添加到策略中。看起来像:

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      - Statement:
        - Action:
            - ssm:GetParameter
          Effect: Allow
          Resource: arn:aws:ssm:region:account-id:parameter/parameter_name

您还应该考虑打开请求请求,以添加用于对SAM进行SSM参数访问的策略模板,因为这样的模板当然是表达此类权限的更方便的方法。根据我的经验,开发人员非常友好,并且始终欢迎此类添加。

更新:AWS SAM中现在有一个SSMParameterReadPolicy可用,因此您现在可以简单地执行以下操作:

LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: ../
      Handler: app.lambda
      Runtime: nodejs8.10
      Policies:
      - DynamoDBReadPolicy:
          TableName: !Ref Table
      - KMSDecryptPolicy:
          KeyId: !Ref Key
      - SSMParameterReadPolicy:
          ParameterName: parameter_name
相关问题
最新问题