我想使用无服务器框架从另一个函数中调用带有自定义角色的lambda函数,我应该怎么做,我已经赋予了调用权限,但似乎还不够,因为另一个函数具有更多的权限,这是由角色赋予
我得到的错误,
ocr-solution-dev-routes is not authorized to perform:textract:StartDocumentAnalysis",
"errorType":"AccessDeniedException"
我的无服务器yml
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource: { "Fn::Join": ["", ["arn:aws:s3:::${self:custom.secrets.IMAGE_BUCKET_NAME}", "/*" ] ] }
- Effect: "Allow"
Action:
- lambda:InvokeFunction
- lambda:InvokeAsync
Resource: "*"
functions:
routes:
handler: src/functions/routes/handler.run
events:
- s3:
bucket: ${self:custom.secrets.IMAGE_BUCKET_NAME}
event: s3:ObjectCreated:*
startTextract:
role: QvaliaTextractRole
handler: src/functions/routes/handler.startTextAnalysis
getTextract:
role: QvaliaTextractRole
handler: src/functions/routes/handler.detectTextAnalysis
resources:
Resources:
QvaliaTextractRole:
Type: AWS::IAM::Role
Properties:
RoleName: QvaliaTextractRole
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- textract.amazonaws.com
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: TextractPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- lambda:*
- sns:*
- sqs:*
- s3:*
Resource: "*"
- Effect: "Allow"
Action:
- "s3:*"
Resource: { "Fn::Join": ["", ["arn:aws:s3:::${self:custom.secrets.IMAGE_BUCKET_NAME}", "/*" ] ] }
答案 0 :(得分:0)
AmazonTextractFullAccess策略添加到您的角色中
iamManagedPolicies:
- arn:aws:iam::aws:policy/AmazonTextractFullAccess