授予 AWS Lambda 列出所有 SNS 主题的权限
Give permission to AWS Lambda to List all SNS topics
我有一个 cloudformation 模板来创建 lambda 函数和 SNS 主题。 lambda 函数进行一些处理并将结果发布到 SNS 主题。
为了获取 SNS 主题的 ARN,我使用 boto3.client('sns').list_topics() 函数,然后搜索我在模板中设置的 SNS 主题名称。
但是调用 list_topics() API 给我以下错误:
An error occurred (AuthorizationError) when calling the ListTopics operation: User: arn:aws:sts::136732452473:assumed-role/test/severless-btc-update-PriceUpdateFunction-B38KNZMCBGB is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:eu-west-1:136732452473:*
如何在 cloudformation 模板 YAML 文件中为我的 lambda 资源添加 ListTopics 权限?
这是我的 cloudformation.yaml 文件:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Bitcoin daily update
Parameters:
PhoneNumber:
Type: String
Description: The phone number recipient of the update, in E.164 (e.g. +919876123456) format.
UTCHour:
Type: String
Default: 3
Description: The hour at which to send the update, in the UTC time zone.
Resources:
PriceUpdateFunction:
Type: AWS::Serverless::Function
Properties:
Handler: main.lambda_handler
Runtime: python3.6
Timeout: 5
CodeUri: main.py
Environment:
Variables:
PHONE_NUMBER: !Ref PhoneNumber
Events:
ScheduledEvent:
Type: Schedule
Properties:
Schedule: !Join [' ', ['cron(0', !Ref UTCHour, '* * ? *)']]
Policies:
- SNSPublishMessagePolicy:
TopicName: !GetAtt SNSTopic.TopicName
SNSTopic:
Type: "AWS::SNS::Topic"
Properties:
TopicName: "sendSMS"
DisplayName: "BitcoinPriceTopic"
Subscription:
-
Endpoint: !Ref PhoneNumber
Protocol: "sms"
您需要定义 Lambda 执行角色并为函数分配适当的权限。应该有 Role 属性 个 AWS::Serverless::Function
Role: !GetAtt LambdaExecutionRole.Arn
然后在您的模板中创建引用角色:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {Service: [lambda.amazonaws.com]}
Action: ['sts:AssumeRole']
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaRole
Policies:
- PolicyName: SNSPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "SNS:ListTopic"
Resource: ['*']
根据需要调整 Action 部分中的权限。
我有一个 cloudformation 模板来创建 lambda 函数和 SNS 主题。 lambda 函数进行一些处理并将结果发布到 SNS 主题。
为了获取 SNS 主题的 ARN,我使用 boto3.client('sns').list_topics() 函数,然后搜索我在模板中设置的 SNS 主题名称。
但是调用 list_topics() API 给我以下错误:
An error occurred (AuthorizationError) when calling the ListTopics operation: User: arn:aws:sts::136732452473:assumed-role/test/severless-btc-update-PriceUpdateFunction-B38KNZMCBGB is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:eu-west-1:136732452473:*
如何在 cloudformation 模板 YAML 文件中为我的 lambda 资源添加 ListTopics 权限?
这是我的 cloudformation.yaml 文件:
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: Bitcoin daily update
Parameters:
PhoneNumber:
Type: String
Description: The phone number recipient of the update, in E.164 (e.g. +919876123456) format.
UTCHour:
Type: String
Default: 3
Description: The hour at which to send the update, in the UTC time zone.
Resources:
PriceUpdateFunction:
Type: AWS::Serverless::Function
Properties:
Handler: main.lambda_handler
Runtime: python3.6
Timeout: 5
CodeUri: main.py
Environment:
Variables:
PHONE_NUMBER: !Ref PhoneNumber
Events:
ScheduledEvent:
Type: Schedule
Properties:
Schedule: !Join [' ', ['cron(0', !Ref UTCHour, '* * ? *)']]
Policies:
- SNSPublishMessagePolicy:
TopicName: !GetAtt SNSTopic.TopicName
SNSTopic:
Type: "AWS::SNS::Topic"
Properties:
TopicName: "sendSMS"
DisplayName: "BitcoinPriceTopic"
Subscription:
-
Endpoint: !Ref PhoneNumber
Protocol: "sms"
您需要定义 Lambda 执行角色并为函数分配适当的权限。应该有 Role 属性 个 AWS::Serverless::Function
Role: !GetAtt LambdaExecutionRole.Arn
然后在您的模板中创建引用角色:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {Service: [lambda.amazonaws.com]}
Action: ['sts:AssumeRole']
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- arn:aws:iam::aws:policy/service-role/AWSLambdaRole
Policies:
- PolicyName: SNSPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- "SNS:ListTopic"
Resource: ['*']
根据需要调整 Action 部分中的权限。