AWS Lambda执行假定角色功能未捕获执行角色,因此失败

时间:2019-12-18 14:19:16

标签: python python-3.x aws-lambda amazon-iam

当我使用aws配置从本地运行它时,此生成临时URL的代码可以正常工作。

import urllib, json, sys import requests # 'pip install requests'
import boto3 # AWS SDK for Python (Boto3) 'pip install boto3'

 def lambda_handler(event, context):
     print(event)
     sts_connection = boto3.client('sts')

     assumed_role_object = sts_connection.assume_role(
         RoleArn="**** my role arn which I want to assume *******",
         RoleSessionName="AssumeRoleSession",
     )

     # Step 3: Format resulting temporary credentials into JSON
     url_credentials = {}
     url_credentials['sessionId'] = assumed_role_object.get('Credentials').get('AccessKeyId')
     url_credentials['sessionKey'] = assumed_role_object.get('Credentials').get('SecretAccessKey')
     url_credentials['sessionToken'] = assumed_role_object.get('Credentials').get('SessionToken')
     json_string_with_temp_credentials = json.dumps(url_credentials)

     # Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
     # the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
     # as parameters.
     request_parameters = "?Action=getSigninToken"
     request_parameters += "&SessionDuration=43200"
     if sys.version_info[0] < 3:
         def quote_plus_function(s):
             return urllib.quote_plus(s)
     else:
         def quote_plus_function(s):
             return urllib.parse.quote_plus(s)
     request_parameters += "&Session=" + quote_plus_function(json_string_with_temp_credentials)
     request_url = "https://signin.aws.amazon.com/federation" + request_parameters
     r = requests.get(request_url)
     print(r)
     # Returns a JSON document with a single element named SigninToken.
     signin_token = json.loads(r.text)

     # Step 5: Create URL where users can use the sign-in token to sign in to
     # the console. This URL must be used within 15 minutes after the
     # sign-in token was issued.
     request_parameters = "?Action=login"
     request_parameters += "&Issuer=Example.org"
     request_parameters += "&Destination=" + quote_plus_function("https://console.aws.amazon.com/")
     request_parameters += "&SigninToken=" + signin_token["SigninToken"]
     request_url = "https://signin.aws.amazon.com/federation" + request_parameters

     # Send final URL to stdout
     print(request_url)

     return {
             "statusCode": 200,
             "body": {
                 "url": request_url,

             }
             }

我在角色部分(我要承担的角色)中更新了信任关系,如下所示:

 {   "Version": "2012-10-17",   "Statement": [
     {
       "Effect": "Allow",
       "Principal": {
         "AWS": "**********arn to the role with which code is running ********"
       },
       "Action": "sts:AssumeRole"
     }   ] }

当我从本地运行它时,代码运行良好,但是当我从lambda部署它并用lambda执行角色(具有完全的管理员访问权限)更新角色urn时,该代码未运行,这说明  用户: arn:aws:sts :: lambdaexceutionrole / lambdaname 无权承担明显的角色。 我的问题是为什么lambda执行角色从 arn:aws:lambdaexecutionrole 更改为 arn:aws:sts :: arn:aws:lambdaexecutionrole / lambdaname

我确保将* arn:aws:lambdaexecutionrole附加到我的lambda函数中

0 个答案:

没有答案
相关问题
最新问题