如何引用 SAM 模板中定义的角色?
How do I reference a role defined in a SAM template?
我是 AWS SAM 模板的新手,希望能够创建一个具有一系列策略的角色,然后为 Lambda 函数引用该角色。但是,当我尝试部署时出现以下错误:
Value 'MyRole' at 'role' failed to satisfy constraint: Member must
satisfy regular expression pattern:
arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@-_/]+
这个答案提到我可以将策略直接添加到函数中,但我会有很多需要相同策略的函数,所以这不是一个非常枯燥的方法
问题是我不能在新创建的角色上使用!GetAtt
吗?
这是我的 template.yml
的样子:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get
您的 lambda 函数定义中缺少 Properties 标记,并且缺少第一个策略的策略列表。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
-
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Properties:
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get
我是 AWS SAM 模板的新手,希望能够创建一个具有一系列策略的角色,然后为 Lambda 函数引用该角色。但是,当我尝试部署时出现以下错误:
Value 'MyRole' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@-_/]+
这个答案提到我可以将策略直接添加到函数中,但我会有很多需要相同策略的函数,所以这不是一个非常枯燥的方法
问题是我不能在新创建的角色上使用!GetAtt
吗?
这是我的 template.yml
的样子:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get
您的 lambda 函数定义中缺少 Properties 标记,并且缺少第一个策略的策略列表。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
-
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Properties:
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get