我正在为用户界面发行STS令牌,其中包括以下有关lambda权限的声明:
{
"Sid" : "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-2:*:function:CreateThumbnail",
"arn:aws:lambda:us-east-2:*:function:ImageScanner"
]
},
当我尝试从浏览器中的aws-sdk.js调用该函数时,出现以下错误消息:
"User: arn:aws:sts::123456789012:assumed-role/test_sts_role/user-12345 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:198765432109:function:ImageScanner"
我在该政策中缺少什么吗?
答案 0 :(得分:1)
我发现了问题,您的政策缺少帐号。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:ap-southeast-2:012345678901:function:*"
]
}
]
}
注意:另外,您还应该将此策略分配给您要承担的角色,而不要分配给要承担的用户。你能确认那部分吗?
参考:https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/