我试图授予lambda执行访问组中选定成员的权限。通过Ping联合身份验证用户。我在向联盟用户授予此选择性访问权限时遇到问题。
我对此角色附加了自定义IAM策略(allow-lambda-invocation-selective)。尽管该策略似乎通过了验证,并且策略模拟显示了当我尝试执行lambda函数时允许访问,但仍收到消息
Calling the invoke API action failed with this message: User:arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789012:function:my-lambda-function
这是我的政策:allow-lambda-invocation-selective
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
}
]
}
我想念什么吗?
答案 0 :(得分:0)
我正试图了解您的问题。如果我做错了假设,请纠正我。
对用户进行身份验证时,他们将扮演其假定的角色。 myuser1234在通过身份验证后将获得arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234角色,对吗?是否可以为每个组创建一个角色并删除conditions属性(请检查说明原因的第2项)?
// role-for-grp-l2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*"
}
]
}
aws:userid 的问题阅读关于aws:userid键docs的信息,我们可以发现此键具有角色ID:caller-specified-role-name ,
其中角色ID为unique id of the role,而调用方指定的角色名称由传递给AssumeRole请求的RoleSessionName parameter指定。
因此aws:userid的值类似于AIDAJQABLZS4A3QDU576Q:SomeNameYouGive。因此,您的条件永远不会与arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234匹配,因此用户将无法承担该操作。
假设RoleSessionName是用户名,则可以通过以下方式使用条件:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
}
]
}
如果愿意,可以使用以下命令使用AWS CLI删除*通配符,以获取role id:
aws iam get-role --role-name ROLE_NAME
并更改条件如下:
"Condition": {
"StringEquals": {
"aws:userid": "ROLE_ID:myuser1234"
}
}