部署lambda函数时出现AccessDeniedException

时间:2019-03-06 16:32:59

标签: amazon-web-services aws-lambda

我正在尝试通过AWS命令在aws中创建lambda函数。当我执行命令时,出现以下错误。但是我在AWS命令中提到的角色具有足够的权限才能部署lambda函数。即使角色具有权限,我也不知道出了什么问题。

命令: 

aws lambda create-function --function-name ukmon-appd-disabled- 
health-rules --runtime python3.7 --zip-file 
fileb://bin/disabled_health_rules.zip --handler index.handler --timeout 10 - 
-memory-size 1024 --role arn:aws:iam::99999999999:role/crossaccount

政策: 

"AllowLambdaFunctionStack": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "Description": "Policy for allowing jenkins cross account service role to create, update, delete lambda functions.",
        "Path": "/",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": [
                "lambda:InvokeFunction",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:ListFunctions",
                "lambda:UpdateFunctionCode",
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:RemovePermission",
                "lambda:CreateAlias",
                "lambda:DeleteAlias",
                "lambda:GetAlias",
                "lambda:ListAliases",
                "lambda:UpdateAlias",
                "lambda:GetPolicy",
                "lambda:InvokeAsync",
                "lambda:ListVersionsByFunction",
                "lambda:PublishVersion",
                "lambda:CreateEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:ListEventSourceMappings",
                "lambda:DeleteEventSourceMapping",
                "lambda:UpdateEventSourceMapping",
                "lambda:TagResource",
                "lambda:ListTags",
                "lambda:UntagResource"
              ],
              "Effect": "Allow",
              "Resource": "arn:aws:lambda:eu-west-1:999999999999:function:crossaccount-*",
              "Sid": "AllowLambdaFuctionsStacks"
            }
          ]
        },

错误:

  

调用时发生错误(AccessDeniedException)   CreateFunction操作:用户:   arn:aws:sts :: 999999999999:假定角色/交叉帐户/ i-0d2dd689c2784f174   无权执行:在资源上使用lambda:CreateFunction:   arn:aws:lambda:eu-west-1:999999999999:function:ukmon-appd-disabled-health-rules

谢谢。

1 个答案:

答案 0 :(得分:2)

我认为您正在混淆IAM角色。您传递给create-function AWS CLI调用的IAM角色是Lambda服务在运行时将承担的角色:即,您在运行时为lambda函数赋予的权限。
要获得授权进行aws lambda create-function CLI调用,您的环境必须具有CreateFunction授权。

但是如果您不混淆角色,则政策中存在问题。它将授权所有符合

的Lambda资源上列出的API调用

"Resource": "arn:aws:lambda:eu-west-1:999999999999:function:crossaccount-*",

您要创建的lambda函数名为ukmon-appd-disabled- health-rules,只有以crossaccount-开头的函数名称才被授权。

相关问题
最新问题