调用DescribeVpcEndpoints操作时发生错误(UnauthorizedOperation):您无权执行此操作

时间:2019-02-28 14:00:30

标签: amazon-web-services amazon-ec2 amazon-iam amazon-emr amazon-vpc

执行lambda时出现此错误

调用 DescribeVpcEndpoints 操作时发生错误(UnauthorizedOperation):您无权执行此操作。

我的政策详细信息:

Version": "2012-10-17",
              "Statement": [
                {
                  "Sid": "IngestionClusterNodes",
                  "Effect": "Allow",
                  "Action": [
                    "s3:*",
                    "glue:*",
                    "kms:*",
                    "sns:*",
                    "cloudformation:DeleteStack",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:DescribeStackResources",
                    "cloudformation:DescribeStacks",
                    "cloudformation:ListStackResources",
                    "cloudwatch:*",
                    "elasticmapreduce:*",
                    "secretsmanager:GetSecretValue",
                    "secretsmanager:CreateSecret",
                    "secretsmanager:PutResourcePolicy",
                    "secretsmanager:UpdateSecret",
                    "iam:GetGroup",
                    "ec2:*",
                    "events:*",
                    "logs:*",
                    "ses:*",
                    "sns:*",
                    "sns:Publish"
                  ],
                  "Resource": [
                    "arn:aws:iam::*",
                    "arn:aws:ses:*",
                    "arn:aws:sqs:*",
                    "arn:aws:s3:::*",
                    "arn:aws:logs:*",
                    "arn:aws:sns:*",
                    "arn:aws:cloudformation:*",
                    "arn:aws:cloudwatch:*",
                    "arn:aws:secretsmanager:*",
                    "arn:aws:ec2:*",
                    "arn:aws:events:*:*:*",
                    "arn:aws:logs:*:*:*",
                    "arn:aws:autoscaling:*"
                  ]
                }

我已将上述政策附加到Lambda执行角色。

1 个答案:

答案 0 :(得分:0)

我建议您只需将语句修改为;

            {
              "Sid": "IngestionClusterNodes",
              "Effect": "Allow",
              "Action": [
                "s3:*",
                "glue:*",
                "kms:*",
                "sns:*",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudwatch:*",
                "elasticmapreduce:*",
                "secretsmanager:GetSecretValue",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutResourcePolicy",
                "secretsmanager:UpdateSecret",
                "iam:GetGroup",
                "ec2:*",
                "events:*",
                "logs:*",
                "ses:*",
                "sns:*",
                "sns:Publish"
              ],
              "Resource": ["*"]
            }

仅需注意,VPCendpoint没有Arns。只有id vpce-092e602ea1a16886e,因此资源块中的ec2:*不允许您描述vpc端点。