我是AWS SAM模板的新手,并希望能够创建具有一系列策略的角色,然后为lambda函数引用该角色。但是,尝试部署时出现以下错误:
“角色”处的值“ MyRole”未能满足约束:成员必须满足正则表达式模式:arn:(aws [a-zA-Z-] *)?: iam :: \ d {12}:role / ?[a-zA-Z_0-9 + =,。@ -_ //] +
此答案提到我可以将策略直接添加到该函数中,但是我将有许多需要相同策略的函数,因此这不是一种非常干燥的方法 IAM role inside SAM template
问题是我不能在新创建的角色上使用!GetAtt吗?
这是我的template.yml的样子:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get
答案 0 :(得分:1)
您的lambda函数定义中缺少“属性”标签,并且缺少策略列表-第一个策略。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
-
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Properties:
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get