sls为lambda部署多个IAM角色,该角色假定角色角色错误且缺少权限

时间:2020-04-07 01:47:28

标签: amazon-web-services serverless

我当前正在运行一个具有2个lambda函数的sls项目。一个将项目推入发电机,另一项目在将项目推入发电机(流)时触发。 “进程lambda”-> DDB->“构建lambda”。

使用sls在本地测试时,所有PutItem调用均有效。当sls deploy和测试在AWS上进行时,我遇到拒绝访问的问题:

assumed-role/app-client-onboarder-dev-us-east-2-lambdaRole/app-client-onboarder-dev-app_new_client_process is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:123456789:table/dev-app-clients

当我查看IAM时,此部署有2个角色(我认为只有1个)

  1. arn:aws:iam :: 123456789:role / AppClient-dev-BuildProcessLambdaExecutionRole
  2. arn:aws:iam :: 123456789:role / app-client-onboarder-dev-us-east-2-lambdaRole

上面的假定角色是assumed-role/role 1./role 2.

  • 第一个是在资源中定义的(见底部),其中包含单独的策略
  • 第二个文件似乎是为cf / sls部署而构建的-该文件具有一个带有多个语句的策略,缺少关键权限(例如dynamodb:PutItem)。

使用已部署的Lambda承担已定义角色的sls,我在缺少带sls的新角色和策略时会丢失什么?第二个“部署”级别的角色来自哪里?

serverless.yml的摘录如下。

service: app-client-onboarder


provider:
  name: aws
  runtime: nodejs12.x
  region: us-east-2
  stage: dev

functions:
  app_new_client_process:
    handler: lambda/handler.app_new_client_process
    tracing: true
    environment:
      DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
      DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}

  app_new_client_build_resources:
    handler: lambda/handler.app_new_client_build_resources
    tracing: true
    events:
      - stream: ${self:custom.client-table-updates.${self:provider.stage}}
    environment:
      DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
      DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}


resources:
  Resources: 
    appClientBuildProcessLambdaExecutionRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: appClient-${self:provider.stage}-BuildProcessLambdaExecutionRole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
        - PolicyName: appClientDynamoDBIamPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "dynamodb:DescribeTable"
                  - "dynamodb:GetItem"
                  - "dynamodb:PutItem"
                  - "dynamodb:DescribeStream"
                  - "dynamodb:ListStreams"
                  - "dynamodb:ListTables"
                Resource: "arn:aws:dynamodb:*:146449424444:table/*app-client*"
        - PolicyName: appLogsIamPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "arn:aws:logs:*:146449424444:*"
        - PolicyName: appXrayTracingPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "xray:PutTraceSegments"
                  - "xray:PutTelemetryRecords"
                Resource: "*"

plugins: 
  - serverless-plugin-tracing

2 个答案:

答案 0 :(得分:0)

您需要在提供程序-> iamRoleStatements下将无服务器项目的权限定义为:

provider:

  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "dynamodb:Query" 
        - "dynamodb:PutItem"
        - "dynamodb:UpdateItem"
      Resource: YOUR_DYNAMODB_ARN

答案 1 :(得分:0)

将资源中定义的角色名称设置为适当的范围。

provider级:

provider:
  name: aws
  runtime: nodejs12.x
  region: us-east-2
  stage: dev
  role: AppExRole

function级别(如果每个功能具有不同的权限集)

functions
  f1:
    role: AppExRole
  f2:
    role: AppExRole2
相关问题
最新问题