无服务器部署Lambda无法承担现有的IAM角色

时间:2019-11-25 11:11:32

标签: amazon-web-services amazon-iam serverless

我觉得这个问题已经问了很多,但从当前答案来看,没有任何帮助。

我正在尝试使用Serverless部署应用程序。我的serverless.yml是:

app: product-events-api

service: product-events
custom:
  secrets: ${ssm:/aws/reference/secretsmanager/serverless-product-events-${self:provider.stage}~true, ''}
  provider:
    name: aws
    runtime: nodejs10.x
    region: eu-west-1
    stage: ${opt:stage, 'preview'}
    timeout: 30
    # Role ARN must adhere to the RegEx: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+
    role: arn:aws:iam::${self:custom.secrets.AWS_ACCOUNT_ID}:role/${self:custom.secrets.IAM_ROLE_NAME}
    vpc: ${self:custom.secrets.vpc}
    environment:
      STAGE: ${self:provider.stage}
      NODE_ENV: production
      DB_NAME: ${self:custom.secrets.DB_NAME}
      DB_URL: ${self:custom.secrets.DB_URL}

functions:
  getProductEvents:
    handler: src/routes/api/handler.events
    memorySize: 1024
    description: Get product event
    events:
      - http:
          path: /events
          method: get

role的绝对ARN为arn:aws:iam::<Account ID>:role/lambda_basic_execution

运行sls deploy --stage production给了我错误:

  

发生错误:GetProductEventsLambdaFunction-Lambda无法承担为该函数定义的角色。 (服务:AWSLambdaInternal;状态代码:400;错误代码:InvalidParameterValueException;请求ID:4750b33e-329c-4383-abd4-a61ec4d326b2)。

我们拥有的几乎所有lambda都使用此IAM角色。我转向此答案,试图仅通过功能级别的名称来定义role,但得到:

  

CloudFormation模板无效:模板错误:Fn :: GetAtt实例引用未定义的资源lamba_basic_execution

如果我跑步; aws iam get-role --role-name lambda_basic_execution,我收到了:

{
    "Role": {
        "AssumeRolePolicyDocument": {
           "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Principal": {
                        "Service": "lambda.amazonaws.com"
                    },
                    "Effect": "Allow",
                    "Sid": ""
                }
            ]
        },
        "MaxSessionDuration": 3600,
        "RoleId": "<Role ID>",
        "CreateDate": "2015-10-13T15:06:34Z",
        "RoleName": "lambda_basic_execution",
        "Path": "/",
        "Arn": "arn:aws:iam::<Account ID>:role/lambda_basic_execution"
    }
}

如果我从模板中删除了声明role,则部署工作正常,然后可以通过控制台手动添加角色。我想这是一个无服务器的问题。

1 个答案:

答案 0 :(得分:0)

正如您提到的那样,使用相同IAM角色的lambda很少,我建议您将IAM角色创建为serverless.yml脚本的一部分。这种方法的好处是,您可以根据将来的需求轻松添加或删除任何权限。您可以做类似

的操作 
  YourIAMRole:
     Type: AWS::IAM::Role 
     Properties: 
       AssumeRolePolicyDocument: 
         Statement: 
          - Effect: Allow 
            Principal: 
              Service: lambda.amazonaws.com 
            Action: sts:AssumeRole 

       Path: / 
       ManagedPolicyArns: 
       - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole 
       Policies: 
         - # Any permission you want to add, For an example I am adding S3
          PolicyName: "resources_access" 
          PolicyDocument: 
            Version: "2012-10-17" 
            Statement: 
             - 
              Effect: "Allow" 
              Action: "s3:Get*" 
              Resource: !Join
                - ''
                - - "arn:aws:s3:::"
                  - !Ref YourParameteredBucketName

完成此操作后,可以按以下方式将此角色分配给您的功能:

 Role: !GetAtt YourIAMRole.Arn
相关问题
最新问题