IAM 用户上的 lambda ListFunctions 的 AWS AccessDeniedException
AWS AccessDeniedException for lambda ListFunctions on a IAM user
预先注意:我通过 IAM 用户控制台帐户执行所有 AWS 配置,该帐户基本上拥有 AWS/Amazon 帐户所有者的所有权限。我将此 IAM 用户称为 root 帐户。
问题描述:
- 我从 root 帐户创建了以下 IAM 用户,使用
仅编程访问:lambda-test
- 我在我的 ~/.aws/* 文件中添加了它的 IAM 访问密钥(作为配置文件条目)。
- 现在,对于那个 lambda-test 帐户,我接下来创建了一个 Inline/Embedded 允许以下 AWS-Lamdba 操作的策略:ListFunctions、GetFunction , 更新函数代码, 更新函数配置
正确验证的政策声明如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1111111111111", # <--- Altered for this post.
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:ListFunctions",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": [
"arn:aws:lambda:*"
]
}
]
}
回到膝上型计算机 CLI,我发出以下命令,生成 AccessDeniedException:
user@linux$ aws lambda list-functions --profile lambda-test
例外情况:
An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: arn:aws:iam::<AWS-Account-ID>:user/lambda-test is not authorized to perform: lambda:ListFunctions
我错过了什么吗? (我当然做了。=:))
提前致谢!
您可以将两种类型的访问策略用于 AWS lambda:
1) 基于身份的策略(IAM 策略)
您正在使用的是 IAM 策略。如果你读到这个 AWS lambda access control overview documentation, when you are working with IAM based access, right now AWS only supports * as resource. Because "lambda:ListFunctions" can't be called with full ARN (refer this documentation for which can be called with FULL arn and which can be called with *), 你需要给 *.
In the current implementation, Lambda doesn't support identifying specific resources using the resource ARNs (also referred to as resource-level permissions) for some of the API actions, so you must specify a wildcard character (*).
2) 基于资源的策略(Lambda 函数策略)
Each Lambda function can have resource-based permissions policies associated with it. For Lambda, a Lambda function is the primary resource and these policies are referred to as Lambda function policies. You can use a Lambda function policy to grant cross-account permissions as an alternative to using identity-based policies with IAM roles. For example, you can grant Amazon S3 permissions to invoke your Lambda function by simply adding permissions to the Lambda function policy instead of creating an IAM role.
不是 OP 的问题,而是来自 Google 的其他人:
确保您为正在使用的 IAM 用户启用了控制台登录。
这可以在 IAM -> Users -> (select user) -> Security credentials
下设置
预先注意:我通过 IAM 用户控制台帐户执行所有 AWS 配置,该帐户基本上拥有 AWS/Amazon 帐户所有者的所有权限。我将此 IAM 用户称为 root 帐户。
问题描述:
- 我从 root 帐户创建了以下 IAM 用户,使用 仅编程访问:lambda-test
- 我在我的 ~/.aws/* 文件中添加了它的 IAM 访问密钥(作为配置文件条目)。
- 现在,对于那个 lambda-test 帐户,我接下来创建了一个 Inline/Embedded 允许以下 AWS-Lamdba 操作的策略:ListFunctions、GetFunction , 更新函数代码, 更新函数配置
正确验证的政策声明如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1111111111111", # <--- Altered for this post.
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:ListFunctions",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": [
"arn:aws:lambda:*"
]
}
]
}
回到膝上型计算机 CLI,我发出以下命令,生成 AccessDeniedException:
user@linux$ aws lambda list-functions --profile lambda-test
例外情况:
An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: arn:aws:iam::<AWS-Account-ID>:user/lambda-test is not authorized to perform: lambda:ListFunctions
我错过了什么吗? (我当然做了。=:)) 提前致谢!
您可以将两种类型的访问策略用于 AWS lambda:
1) 基于身份的策略(IAM 策略) 您正在使用的是 IAM 策略。如果你读到这个 AWS lambda access control overview documentation, when you are working with IAM based access, right now AWS only supports * as resource. Because "lambda:ListFunctions" can't be called with full ARN (refer this documentation for which can be called with FULL arn and which can be called with *), 你需要给 *.
In the current implementation, Lambda doesn't support identifying specific resources using the resource ARNs (also referred to as resource-level permissions) for some of the API actions, so you must specify a wildcard character (*).
2) 基于资源的策略(Lambda 函数策略)
Each Lambda function can have resource-based permissions policies associated with it. For Lambda, a Lambda function is the primary resource and these policies are referred to as Lambda function policies. You can use a Lambda function policy to grant cross-account permissions as an alternative to using identity-based policies with IAM roles. For example, you can grant Amazon S3 permissions to invoke your Lambda function by simply adding permissions to the Lambda function policy instead of creating an IAM role.
不是 OP 的问题,而是来自 Google 的其他人:
确保您为正在使用的 IAM 用户启用了控制台登录。
这可以在 IAM -> Users -> (select user) -> Security credentials