serverless.yml 中的引用函数

Reference function from within serverless.yml

我有几个 AWS lambdas 运行,由 Serverless Framework 支持。我需要一个 lambda(称为 lambdaOne),它将使用 AWS 的 javascript sdk 调用第二个 lambda(称为 lambdaTwo)。问题是我在尝试此操作时收到 AccessDenied 异常:

UnhandledPromiseRejectionWarning: Unhandled promise rejection (rejection id: 1): AccessDeniedException: User: arn:aws:sts::12345678909876:assumed-role/test-dev-us-west-2-lambdaRole/test-dev-lambdaOne is not authorized to perform: lambda:Invoke Function on resource: arn:aws:lambda:us-west-2:994979977450:function:test-dev-lambdaTwo

据我了解,Serverless 为所有 lambda 函数创建了一个 default IAM 角色。所以,我应该能够在 iamRoleStatements.

下添加一个新条目

我的困惑是因为我要引用的资源 (lambdaTwo) 已经被定义为 function.

有没有办法将 function 作为资源引用?

目前,没有为 Lambda 函数声明权限的快捷方式。您需要根据其 ARN 授予权限。

下面是一个工作示例。

serverless.yml

service: test-invoke-function

provider:
  name: aws
  runtime: nodejs6.10
  region: us-east-1
  stage: dev
  environment:
    AWS_ACCOUNT: 1234567890 # use your own AWS ACCOUNT number here

    # define the ARN of the function that you want to invoke
    FUNCTION_ARN: "arn:aws:lambda:${self:provider.region}:${self:provider.environment.AWS_ACCOUNT}:function:${self:service}-${self:provider.stage}-lambdaTwo"  

functions:
  # lambdaOne will invoke lambdaTwo
  lambdaOne: 
    handler: handler.lambdaOne
    role: functionPermission # we'll define later in this file

  lambdaTwo:
    handler: handler.lambdaTwo

# define the IAM permissions of our Lambda function
resources:
  Resources:
    functionPermission:
      Type: AWS::IAM::Role
      Properties:
        RoleName: functionPermission
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
          - PolicyName: functionPermission
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: "Allow"
                  Action:
                    - "lambda:InvokeFunction"
                  Resource: "${self:provider.environment.FUNCTION_ARN}"

handler.js

const AWS = require('aws-sdk');

module.exports.lambdaOne = (event, context, callback) => {  
  const lambda = new AWS.Lambda();
  const params = {
    FunctionName: process.env.FUNCTION_ARN,
    Payload: JSON.stringify({ message: 'lambdaOne invoking lambdaTwo' })
  };

  // invoke lambdaTwo
  lambda.invoke(params, (err, data) => {
    if (err) {
      callback(err, null);
      return;
    }

    const response = {
      statusCode: 200,
      body: JSON.stringify({
        message: 'lambdaOne result',
        result: data
      })
    };

    callback(null, response);
  });
};

module.exports.lambdaTwo = (event, context, callback) => {  
  const response = {
    statusCode: 200,
    body: JSON.stringify({
      message: 'lambdaTwo result',
      data: event
    })
  };

  callback(null, response);
};

您也可以使用 serverless-iam-roles-per-function plugin which allow you to attach individual IAM role per lambda function and in combination with serverless-pseudo-parameters 您可以引用其他 lambda。