CognitoIdentityCredentials 无权对资源执行:lambda:InvokeFunction
CognitoIdentityCredentials is not authorized to perform: lambda:InvokeFunction on resource
我正在尝试从 iOS 客户端调用 lambda 函数。我的代码如下所示:
要获取凭据,在 appDelegate 中:
func application(_ application: UIApplication,
didFinishLaunchingWithOptions launchOptions:
[UIApplicationLaunchOptionsKey: Any]?) -> Bool {
// Uncomment to turn on logging, look for "Welcome to AWS!" to confirm success
AWSDDLog.add(AWSDDTTYLogger.sharedInstance)
AWSDDLog.sharedInstance.logLevel = .error
// Instantiate AWSMobileClient to get AWS user credentials
return AWSMobileClient.sharedInstance().interceptApplication(application, didFinishLaunchingWithOptions: launchOptions)
}
并在 viewController 上调用:
class ViewController: UIViewController {
let lambdaInvoker = AWSLambdaInvoker.default()
let jsonObject: [String: Any] = ["key1" : "value1",
"key2" : 2 ,
"key3" : [1, 2],
"isError" : false]
@IBAction func button(_ sender: Any) {
print("pressed")
lambdaInvoker.invokeFunction("myTest", jsonObject: jsonObject)
.continueWith(block: {(task:AWSTask<AnyObject>) -> Any? in
if( task.error != nil) {
print("Error: \(task.error!)")
return nil
}
// Handle response in task.result
if let JSONDictionary = task.result as? NSDictionary {
print("Result: \(JSONDictionary)")
print("resultKey: \(JSONDictionary["resultKey"])")
}
return nil
})
}
它抛出这个错误:
... Message=User: arn:aws:sts::103314601078:assumed-role/Cognito_testpoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: lambda:InvokeFunction on resource ...
我也设置了这个角色:
{
"roleName": "myRoleTest",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464440182000",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}
我知道我需要为该资源添加权限才能调用该函数,但我找不到位置或方法!如果有任何帮助,我将不胜感激...
好的,我不知道这对任何人是否有用,但我解决了这个问题。事实证明,要正确使用 AWS SDK,您首先需要创建一个身份池。如您所见,我做了所有这些,并将池 ID 和区域添加到配置文件中。我错过的是您还需要向身份池添加权限才能使用 lambda 服务。
因此,创建身份池后,您将拥有两个新角色,一个是 auth,一个是 unauth。您应该转到 IAM 控制台,角色,找到有问题的角色(在我的例子中是 unauth)并将策略修改为如下所示:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"lambda:invokefunction"
],
"Resource":[
"arn:aws:lambda:us-east-1:account-id:function:yourFunctionName"
]
}
]
}
在此之后,您的资源应该能够调用 lambda 函数。
如果这不是最好的方法,请指出!
编辑:
实际上有一个名为 AWS Lambda 角色的托管策略,可以让您毫无问题地调用。
我正在尝试从 iOS 客户端调用 lambda 函数。我的代码如下所示:
要获取凭据,在 appDelegate 中:
func application(_ application: UIApplication,
didFinishLaunchingWithOptions launchOptions:
[UIApplicationLaunchOptionsKey: Any]?) -> Bool {
// Uncomment to turn on logging, look for "Welcome to AWS!" to confirm success
AWSDDLog.add(AWSDDTTYLogger.sharedInstance)
AWSDDLog.sharedInstance.logLevel = .error
// Instantiate AWSMobileClient to get AWS user credentials
return AWSMobileClient.sharedInstance().interceptApplication(application, didFinishLaunchingWithOptions: launchOptions)
}
并在 viewController 上调用:
class ViewController: UIViewController {
let lambdaInvoker = AWSLambdaInvoker.default()
let jsonObject: [String: Any] = ["key1" : "value1",
"key2" : 2 ,
"key3" : [1, 2],
"isError" : false]
@IBAction func button(_ sender: Any) {
print("pressed")
lambdaInvoker.invokeFunction("myTest", jsonObject: jsonObject)
.continueWith(block: {(task:AWSTask<AnyObject>) -> Any? in
if( task.error != nil) {
print("Error: \(task.error!)")
return nil
}
// Handle response in task.result
if let JSONDictionary = task.result as? NSDictionary {
print("Result: \(JSONDictionary)")
print("resultKey: \(JSONDictionary["resultKey"])")
}
return nil
})
}
它抛出这个错误:
... Message=User: arn:aws:sts::103314601078:assumed-role/Cognito_testpoolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: lambda:InvokeFunction on resource ...
我也设置了这个角色:
{
"roleName": "myRoleTest",
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1464440182000",
"Effect": "Allow",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
}
]
}
我知道我需要为该资源添加权限才能调用该函数,但我找不到位置或方法!如果有任何帮助,我将不胜感激...
好的,我不知道这对任何人是否有用,但我解决了这个问题。事实证明,要正确使用 AWS SDK,您首先需要创建一个身份池。如您所见,我做了所有这些,并将池 ID 和区域添加到配置文件中。我错过的是您还需要向身份池添加权限才能使用 lambda 服务。
因此,创建身份池后,您将拥有两个新角色,一个是 auth,一个是 unauth。您应该转到 IAM 控制台,角色,找到有问题的角色(在我的例子中是 unauth)并将策略修改为如下所示:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource":[
"*"
]
},
{
"Effect":"Allow",
"Action":[
"lambda:invokefunction"
],
"Resource":[
"arn:aws:lambda:us-east-1:account-id:function:yourFunctionName"
]
}
]
}
在此之后,您的资源应该能够调用 lambda 函数。
如果这不是最好的方法,请指出!
编辑:
实际上有一个名为 AWS Lambda 角色的托管策略,可以让您毫无问题地调用。