serverless.yml 中的引用函数
Reference function from within serverless.yml
我有几个 AWS lambdas 运行,由 Serverless Framework 支持。我需要一个 lambda(称为 lambdaOne
),它将使用 AWS 的 javascript sdk 调用第二个 lambda(称为 lambdaTwo
)。问题是我在尝试此操作时收到 AccessDenied
异常:
UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1):
AccessDeniedException: User: arn:aws:sts::12345678909876:assumed-role/test-dev-us-west-2-lambdaRole/test-dev-lambdaOne is not authorized to perform: lambda:Invoke Function on resource: arn:aws:lambda:us-west-2:994979977450:function:test-dev-lambdaTwo
据我了解,Serverless 为所有 lambda 函数创建了一个 default IAM 角色。所以,我应该能够在 iamRoleStatements
.
下添加一个新条目
我的困惑是因为我要引用的资源 (lambdaTwo
) 已经被定义为 function.
有没有办法将 function
作为资源引用?
目前,没有为 Lambda 函数声明权限的快捷方式。您需要根据其 ARN 授予权限。
下面是一个工作示例。
serverless.yml
service: test-invoke-function
provider:
name: aws
runtime: nodejs6.10
region: us-east-1
stage: dev
environment:
AWS_ACCOUNT: 1234567890 # use your own AWS ACCOUNT number here
# define the ARN of the function that you want to invoke
FUNCTION_ARN: "arn:aws:lambda:${self:provider.region}:${self:provider.environment.AWS_ACCOUNT}:function:${self:service}-${self:provider.stage}-lambdaTwo"
functions:
# lambdaOne will invoke lambdaTwo
lambdaOne:
handler: handler.lambdaOne
role: functionPermission # we'll define later in this file
lambdaTwo:
handler: handler.lambdaTwo
# define the IAM permissions of our Lambda function
resources:
Resources:
functionPermission:
Type: AWS::IAM::Role
Properties:
RoleName: functionPermission
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: functionPermission
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource: "${self:provider.environment.FUNCTION_ARN}"
handler.js
const AWS = require('aws-sdk');
module.exports.lambdaOne = (event, context, callback) => {
const lambda = new AWS.Lambda();
const params = {
FunctionName: process.env.FUNCTION_ARN,
Payload: JSON.stringify({ message: 'lambdaOne invoking lambdaTwo' })
};
// invoke lambdaTwo
lambda.invoke(params, (err, data) => {
if (err) {
callback(err, null);
return;
}
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'lambdaOne result',
result: data
})
};
callback(null, response);
});
};
module.exports.lambdaTwo = (event, context, callback) => {
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'lambdaTwo result',
data: event
})
};
callback(null, response);
};
您也可以使用 serverless-iam-roles-per-function plugin which allow you to attach individual IAM role per lambda function and in combination with serverless-pseudo-parameters 您可以引用其他 lambda。
我有几个 AWS lambdas 运行,由 Serverless Framework 支持。我需要一个 lambda(称为 lambdaOne
),它将使用 AWS 的 javascript sdk 调用第二个 lambda(称为 lambdaTwo
)。问题是我在尝试此操作时收到 AccessDenied
异常:
UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): AccessDeniedException: User: arn:aws:sts::12345678909876:assumed-role/test-dev-us-west-2-lambdaRole/test-dev-lambdaOne is not authorized to perform: lambda:Invoke Function on resource: arn:aws:lambda:us-west-2:994979977450:function:test-dev-lambdaTwo
据我了解,Serverless 为所有 lambda 函数创建了一个 default IAM 角色。所以,我应该能够在 iamRoleStatements
.
我的困惑是因为我要引用的资源 (lambdaTwo
) 已经被定义为 function.
有没有办法将 function
作为资源引用?
目前,没有为 Lambda 函数声明权限的快捷方式。您需要根据其 ARN 授予权限。
下面是一个工作示例。
serverless.yml
service: test-invoke-function
provider:
name: aws
runtime: nodejs6.10
region: us-east-1
stage: dev
environment:
AWS_ACCOUNT: 1234567890 # use your own AWS ACCOUNT number here
# define the ARN of the function that you want to invoke
FUNCTION_ARN: "arn:aws:lambda:${self:provider.region}:${self:provider.environment.AWS_ACCOUNT}:function:${self:service}-${self:provider.stage}-lambdaTwo"
functions:
# lambdaOne will invoke lambdaTwo
lambdaOne:
handler: handler.lambdaOne
role: functionPermission # we'll define later in this file
lambdaTwo:
handler: handler.lambdaTwo
# define the IAM permissions of our Lambda function
resources:
Resources:
functionPermission:
Type: AWS::IAM::Role
Properties:
RoleName: functionPermission
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: functionPermission
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource: "${self:provider.environment.FUNCTION_ARN}"
handler.js
const AWS = require('aws-sdk');
module.exports.lambdaOne = (event, context, callback) => {
const lambda = new AWS.Lambda();
const params = {
FunctionName: process.env.FUNCTION_ARN,
Payload: JSON.stringify({ message: 'lambdaOne invoking lambdaTwo' })
};
// invoke lambdaTwo
lambda.invoke(params, (err, data) => {
if (err) {
callback(err, null);
return;
}
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'lambdaOne result',
result: data
})
};
callback(null, response);
});
};
module.exports.lambdaTwo = (event, context, callback) => {
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'lambdaTwo result',
data: event
})
};
callback(null, response);
};
您也可以使用 serverless-iam-roles-per-function plugin which allow you to attach individual IAM role per lambda function and in combination with serverless-pseudo-parameters 您可以引用其他 lambda。