我正在尝试通过Gateway api使用AWS-SDK调用一个函数,但是我收到以下错误。
执行角色的策略为execute-api:*作为操作,结果为'*'。
代码是:
const restApi = await new Promise((resolve, reject) => {
apiGateway.getRestApi({restApiId: myRestApi}, function(err, data) {
错误:
2020-06-06T08:58:47.741Z d3e08e04-095c-41ec-bbe6-69344d53854c INFO getRestApi err AccessDeniedException: User: arn:aws:sts::123412341234:assumed-role/mydev-LambdaExecutionRole/mydev-api-FooFunctionsStack-AddFooFunction-123ASDF is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:eu-west-1::/restapis/xxx111yy
at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
网络设置应该很好,lambda在VPC内,但它具有公共子网可以连接其外部的服务。以前没有,并且apiGateway.getRestApi超时。
角色策略:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: 'MyRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: lambda-execution-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
- rds:*
- rds-data:*
- ses:SendEmail
- ses:SendRawEmail
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- s3:*
- execute-api:*
Resource: '*'
答案 0 :(得分:1)
lambda在VPC内,但它具有公共子网以连接其外部的服务
不幸的是,错误不是与API网关的公共访问有关,而是与API信息有关的必需访问。
相反,该错误是由于您的lambda's execution role mydev-LambdaExecutionRole无权在GET资源上执行xxx111yy方法。
您的权限execute-api:*用于调用 API。您的lambda函数应具有apigateway:*的权限,该权限用于获取有关api的信息。例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "apigateway:GET",
"Resource": "*"
}
]
}
有两种方法来纠正此问题: