我有一个用Python 2.7编写的Lambda函数(rsops),它通过调用boto3的'create_cluster()'方法来创建Redshift集群:
def spinup_cluster(CID, RSU, RSP, RSDB, RSSG, RSAZ, RSPG):
RSC = boto3.client('redshift', region_name=RSAZ[:-1])
return RSC.create_cluster(
DBName=RSDB,
ClusterIdentifier=CID,
ClusterType='multi-node',
NodeType='ds2.xlarge',
MasterUsername=RSU,
MasterUserPassword=RSP,
VpcSecurityGroupIds=[RSSG],
ClusterSubnetGroupName='data',
AvailabilityZone=RSAZ,
PreferredMaintenanceWindow='sun:03:00-sun:03:30',
ClusterParameterGroupName=RSPG,
AutomatedSnapshotRetentionPeriod=1,
Port=5439,
ClusterVersion='1.0',
AllowVersionUpgrade=True,
NumberOfNodes=2,
PubliclyAccessible=True,
Tags=[
{
'Key': 'product',
'Value': 'data'
},
],
Encrypted=False)
分配给此Lambda函数的IAM角色具有对Redshift的完全访问权限(出于测试目的):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LambdaInvokeLambda",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1:012345678901:function:spinuprs*",
"arn:aws:lambda:us-east-1:012345678901:function:rsops*"
]
},
{
"Sid": "PassRoleOverToUser",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:lambda:us-east-1:012345678901:function:rsops*",
"arn:aws:redshift:us-east-1:012345678901:cluster:*",
"arn:aws:redshift:us-west-2:012345678901:cluster:*"
]
},
{
"Sid": "RSAccess",
"Action": "redshift:*",
"Effect": "Allow",
"Resource": "*"
}
]
}
信任策略将EC2,Lambda和Redshift授予“ AssumeRole”权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"redshift.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
但是我不断收到“访问拒绝”错误,提示我没有烫发“ CreateCluster”呼叫的机会:
Spin up testcluster (us-east-1, 1-node) ...
Traceback (most recent call last):
File "./rsops.py", line 163, in <module>
resp=spinup_cluster(cid, rsu, rsp, rsdb, rssg, rsaz, rspg)
File "./rsops.py", line 87, in spinup_cluster
Encrypted=False)
File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 320, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 624, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.errorfactory.UnauthorizedOperation: An error occurred (UnauthorizedOperation) when calling the CreateCluster operation: Access Denied. Please ensure that your IAM Permissions allow this operation.
我能够毫无问题地调用delete_cluster()和describe_clusters(),我还从boto3 STS API中调用了“ get_caller_identity()”,以验证其是否使用了正确的IAM角色。
我正在Lambda函数中运行,该Lambda函数可通过NAT实例访问Internet,但是私有子网应该不成问题,因为我正在其中运行其他Lambda函数。我在同一子网中具有以下环境的实例中启动了一个实例,并附加了相同的IAM角色,但仍然出现相同的错误:
AMI: amzn-ami-hvm-2018.03.0.20181129-x86_64-gp2
Python version: 2.7.14
boto3 version: 1.9.64
如果需要更多详细信息,请告诉我。我已经尝试调试了一个星期,但是我无法弄清楚,任何帮助将不胜感激!
答案 0 :(得分:1)
刚从附近的一个AWS阁楼回来,那里的一个好人帮我弄清楚了我的IAM中需要一堆'ec2:Describe *'权限:
ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
ec2:DescribeInternetGateways
我想Lambda需要它们检查您在'create_cluster'调用中指定的VPC /子网/安全组是否确实存在。实际上,我为角色修改了内置的“ AmazonRedshiftFullAccess”策略以缩小权限。