为什么添加事件源附加新的内联策略

时间:2020-07-22 03:56:09

标签: aws-lambda amazon-iam aws-cdk

我正在使用AWS CDK在Python中构建基础架构。

Step1〜Step4在同一堆栈中。

步骤1:使用针对lambda的AWS托管策略AmazonDynamoDBFullAccess创建角色lambda_role。

lambda_role = aws_iam.Role(self, "lambda_role", 
       assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
       role_name="lambda_role")

policy = "AmazonDynamoDBFullAccess"

lambda_role.add_managed_policy(aws_iam.ManagedPolicy.from_aws_managed_policy_name(policy))

第2步:创建表my_table并启用流

stream_view_type = aws_dynamodb.StreamViewType.NEW_AND_OLD_IMAGES

my_table = aws_dynamodb.Table(self, id=tableName,
            table_name=tableName,
            partition_key=partition_key,
            stream=stream_view_type,
        )

第3步:使用lambda_role创建lambda my_lambda 

my_lambda = aws_lambda.Function(self, "my_lambda"
             role=lambda_role)

第4步:将表(my_table)设置为lambda(my_lambda)的触发器。

my_lambda.add_event_sources(
    aws_lambda_event_sources.DynamoEventSource(
         starting_position=aws_lambda.StartingPosition.LATEST,
         table=my_table,
         batch_size=table_setting["batch_size"],
         retry_attempts=table_setting["retry_attempts"],
    )
)

我的问题

  1. 为什么第4步会自动创建inline策略并将其附加到lambda_role?在步骤1中创建的AmazonDynamoDBFullAccess的范围与新创建的策略重叠。
  2. 如何共享策略AmazonDynamoDBFullAccess而不是为每个event_sources创建新策略?

inline policy attached to lambda_role:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "dynamodb:ListStreams",
            "Resource": "arn:aws:dynamodb:?:?:table/my_table/stream/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator"
            ],
            "Resource": "arn:aws:dynamodb:?:?:table/my_table/stream/2020-07-22T03:35:56.757",
            "Effect": "Allow"
        }
    ]
}

Snippet of AmazonDynamoDBFullAccess attached to lambda_role:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:*", ...
            ],
            "Effect": "Allow",
            "Resource": "*"
        }, ...
    ]
}

1 个答案:

答案 0 :(得分:0)

通过使用add_event_source方法创建自定义lambda执行角色后,可以通过阻止其他策略更新来阻止Rolewithout_policy_updates

要这样做,您还必须手动添加在lambda函数初始化期间自动添加的任何策略,因为lambda初始化也将无法自动更新角色。对于一个简单的Lambda函数,可能只有AWSLambdaBasicExecutionRoleAWSLambdaVPCAccessExecutionRole

lambda_role = aws_iam.Role(self, "lambda_role", 
    assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
    role_name="lambda_role",
    managed_policies=[
        aws_iam.ManagedPolicy.from_aws_managed_policy_name(
            "service-role/AWSLambdaBasicExecutionRole"
        ),
        aws_iam.ManagedPolicy.from_aws_managed_policy_name(
            "service-role/AWSLambdaVPCAccessExecutionRole"
        ),
        aws_iam.ManagedPolicy.
        from_aws_managed_policy_name("AmazonDynamoDBFullAccess")
    ]
)

lambda_role = lambda_role.without_policy_updates()
my_lambda = aws_lambda.Function(self, "my_lambda"
         role=lambda_role)
相关问题
最新问题