很明显,我达到了与aws-cognito和aws-api-gateway一起使用的lambda函数的策略限制:
The final policy size is bigger than the limit (20480)
所以我的lambda函数充满了来自api网关的所有允许的端点,例如:
{
"Sid": "eff74414-a6bd-4520-bf67-691ced3245d5",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:ID:function:FUNCTION",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/company"
}
}
},
{
"Sid": "6d52e172-84b6-4196-b924-f83b78153bc5",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:ID:function:FUNCTION",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/companies"
}
}
},
...
我知道有一种使用aws cli整合这些文件的方法:
aws lambda add-permission --function-name 'FUNCTION' --statement-id '7bd8e791-7d28-41d0-9ebd-7e2596574fd5' --action "lambda:InvokeFunction" --principal "apigateway.amazonaws.com" --source-arn "arn:aws:execute-api:eu-central-1:ID:API_ID/*/GET/*/*/*" --source-account "ID" --region 'eu-central-1'
尽管我可以添加此权限,但这是无效的:
ID为API_ID的API不包含路径/// *的资源,该资源在GET方法上具有arn:aws:lambda:eu-central-1:ID:function:FUNCTION集成。
那我该怎么做才能合并我所有的api权限?
答案 0 :(得分:0)
好的,所以我找到了解决方案。我在API网关的每个资源方法中为每个Execution role设置了一个Integration Request。
此执行角色需要与api-gateway建立可信任的关系-然后它才能正常工作:)