我有一个现有的 Lambda 函数 Lambda1 ,它附加了一个资源策略。此资源策略提供对 AWS API Gateway 的 Lambda 函数的访问权限,特别是资源 API 授权方。如果我在 Lambda 函数控制台上查看资源策略,我会看到以下 JSON 文本
def aws_account = "https://xxxxxx.ecr.us-west-2.amazonaws.com/"
def ecr_credentials = "iam-role-arn for ecr"
docker.withRegistry(aws_account + "${ecr_repository_name}", "ecr:us-west-2:${ecr_credentials}") {
docker.image(customImage).push()
}
我想将类似的 {
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "333380d7-2251-452f-8640-d919e5d3d1bf",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-1:492572502211:function:Lambda1",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:eu-west-1:492572502211:kkwykrocn2/authorizers/98sqsv"
}
}
}
]
}
附加到我的另一个 Lambda 函数 Lambda2。我想执行以下命令
Resource based policy如果我将 JSON 文本粘贴到 policy.json 文件中并执行上述命令,则会出现以下错误:
aws lambda add-permission --cli-input-json file://C:\script\policy.json
在检查 add-permission AWS CLI command 的文档时,我发现使用 Parameter validation failed:
Missing required parameter in input: "FunctionName"
Missing required parameter in input: "StatementId"
Unknown parameter in input: "Version", must be one of: FunctionName, StatementId, Action, Principal, SourceArn, SourceAccount, EventSourceToken, Qualifier, RevisionId
Unknown parameter in input: "Id", must be one of: FunctionName, StatementId, Action, Principal, SourceArn, SourceAccount, EventSourceToken, Qualifier, RevisionId
Unknown parameter in input: "Sid", must be one of: FunctionName, StatementId, Action, Principal, SourceArn, SourceAccount, EventSourceToken, Qualifier, RevisionId
Unknown parameter in input: "Effect", must be one of: FunctionName, StatementId, Action, Principal, SourceArn, SourceAccount, EventSourceToken, Qualifier, RevisionId
Unknown parameter in input: "Resource", must be one of: FunctionName, StatementId, Action, Principal, SourceArn, SourceAccount, EventSourceToken, Qualifier, RevisionId
Unknown parameter in input: "Condition", must be one of: FunctionName, StatementId, Action, Principal, SourceArn, SourceAccount, EventSourceToken, Qualifier, RevisionId
Invalid type for parameter Principal, value: {'Service': 'apigateway.amazonaws.com'}, type: <class 'dict'>, valid types: <class 'str'>
选项正确的格式应如下所示:
--generate-cli-skeleton在上面的 JSON 结构中,没有条件元素,通过它我只能提供对 API 网关中授权者资源的访问。有人可以帮我理解如何添加上述 JSON 结构的条件元素吗?(请参阅粘贴在此问题开头的 JSON 文本以查看条件元素)
答案 0 :(得分:0)
如果您指定 SourceArn 和/或 SourceAccount,将自动创建条件。
你不能创造其他条件。您可以检查 docs 以使用这些参数创建权限,例如:
aws lambda add-permission --function-name my-function --action lambda:InvokeFunction --statement-id sns-my-topic \
--principal sns.amazonaws.com --source-arn arn:aws:sns:us-east-2:123456789012:my-topic