如何在无服务器框架中分配函数级别 IamRoleStatements?
How do I assign function level IamRoleStatements in Serverless Framework?
我想为 serverless.yml
中列出的不同功能分配不同的权限
functions:
hello:
handler: handler.hello
crawl-distributor:
handler: CrawlDistributor.handler
product-scanner:
handler: ProductScanner.handler
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:*
- lambda:*
Resource: "*"
这似乎不起作用。当我在提供程序级别添加 iamRoleStatements 时,它起作用了,但最终将权限应用于所有功能。
provider:
name: aws
runtime: nodejs4.3
stage: api
region: us-east-1
profile: dev
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:*
- lambda:*
Resource: "*"
从 docs 开始,您需要在 resources
下创建函数角色并在您的函数中引用这个新角色。
示例:
service: my-test
provider:
name: aws
runtime: nodejs4.3
stage: api
region: us-east-1
profile: dev
functions:
hello:
handler: handler.hello
crawl-distributor:
handler: CrawlDistributor.handler
product-scanner:
role: myDynamoRole
handler: ProductScanner.handler
resources:
Resources:
myDynamoRole:
Type: AWS::IAM::Role
Properties:
RoleName: myDynamoRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: myPolicyName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:*
- lambda:*
Resource: "*"
我想为 serverless.yml
中列出的不同功能分配不同的权限 functions:
hello:
handler: handler.hello
crawl-distributor:
handler: CrawlDistributor.handler
product-scanner:
handler: ProductScanner.handler
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:*
- lambda:*
Resource: "*"
这似乎不起作用。当我在提供程序级别添加 iamRoleStatements 时,它起作用了,但最终将权限应用于所有功能。
provider:
name: aws
runtime: nodejs4.3
stage: api
region: us-east-1
profile: dev
iamRoleStatements:
- Effect: Allow
Action:
- dynamodb:*
- lambda:*
Resource: "*"
从 docs 开始,您需要在 resources
下创建函数角色并在您的函数中引用这个新角色。
示例:
service: my-test
provider:
name: aws
runtime: nodejs4.3
stage: api
region: us-east-1
profile: dev
functions:
hello:
handler: handler.hello
crawl-distributor:
handler: CrawlDistributor.handler
product-scanner:
role: myDynamoRole
handler: ProductScanner.handler
resources:
Resources:
myDynamoRole:
Type: AWS::IAM::Role
Properties:
RoleName: myDynamoRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: myPolicyName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:*
- lambda:*
Resource: "*"