AWS Lambda访问API网关

时间:2019-02-28 16:13:02

标签: amazon-web-services aws-lambda aws-api-gateway aws-serverless

我有如下定义的无服务器功能

UserLockoutLambda:
    Type: "AWS::Lambda::Function"
    Properties:
        Handler: "com.url.ftp.userlockout.LockUserLambda::handleRequest"
        Role: !GetAtt UserLockoutLambdaRole.Arn
        Code:
            S3Bucket: !Ref lambdas3bucketname
            S3Key: !Ref lambdas3key
        Runtime: "java8"
        MemorySize: 256
        Timeout: 300
        FunctionName: !Sub 'url-lambda-lam-${AWS::Region}-${envtag}'
        Environment:
            Variables:
                USER_MGMT_API_URL:
                    !Sub 'https://urlapi.${envtag}.${hostedzonename}/uma/LATEST/'
                USER_MGMT_API_KEY_NAME:
                    !Sub 'url-cfmusermgmt-apikey-${envtag}'
        Tags:
            - Key: Name
                Value: !Sub 'url-cfmuserlockoutlambda-lam-${AWS::Region}-${envtag}'
            - Key: function
                Value: lambda function that locks the proftp user when failed login attempts reach threshold value

我已经按照以下步骤设置了角色和策略(这是供lambda访问apiGateway的方法)

UserLockoutLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
        RoleName: !Sub "url-lambda-iam-${AWS::Region}-role_${envtag}"
        AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
                - Effect: "Allow"
                    Principal:
                        Service:
                            - "lambda.amazonaws.com"
                            - "apigateway.amazonaws.com"
                    Action:
                        - "sts:AssumeRole"
        Path: "/"
        ManagedPolicyArns:
            - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
            - !Ref UserLockoutLambdaManagedPolicy

UserLockoutLambdaManagedPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
        ManagedPolicyName: !Sub "url-lambda-iam-${AWS::Region}-policy_${envtag}"
        PolicyDocument:
            Version: "2012-10-17"
            Statement:
                - Effect: "Allow"
                    Action:
                        - "execute-api:Invoke"
                    Resource:
                        - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/lockuser/*'
                        - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/invalidlogin/*'
                        - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/unlockuser/*'
                - Effect: "Allow"
                    Action:
                        - "apigateway:GET"
                    Resource:
                        - !Sub 'arn:aws:apigateway:${AWS::Region}::/apikeys'

但是,当我从代码中调用api网关时,出现以下错误:

"Message": "User: arn:aws:sts::<id>:assumed-role/url-lambda-iam-us-east-1-role_i2388/url-cfmuserlockoutlambda-lam-us-east-1-i2388
is not authorized to perform: execute-api:Invoke on resource: 
arn:aws:execute-api:us-east-1:********3636:apiGatewayID/LATEST/PUT/ftpuser/invalidlogin" }

从外观上看,Lambda函数名称已添加到假定的角色中,并且显然没有为此编写策略。我不确定为什么要附加函数名,以及如何更改策略才能使其起作用。

任何帮助都将不胜感激。

谢谢 卡尔提克

1 个答案:

答案 0 :(得分:0)

我发现了一个可能有问题的地方 您的lambda授权在资源上调用api-'... / invalidlogin / *'

但尝试调用'... / invalidlogin'

我认为您需要从资源arn中删除'/ *'

相关问题
最新问题