Lambda 的自定义角色如何与 EC2 角色策略一起使用?
How custom role(of Lambda) works with EC2 role policy?
以下是为使用 SAM 模板编写的 lambda 函数(AWS::Serverless::Function) 创建的自定义执行角色(some-role-serv-LogicalID-GDGGGGGBMW2):
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": “some-role-serv-LogicalID-GDGGGGGBMW2”,
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-1:111222333444:someq*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:111222333444:log-group:*",
"Effect": "Allow"
}
]
},
"name": "lambda-policy",
"type": "inline"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
其中 some-permission-boundary 是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow",
},
{
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:ListDeadLetterSourceQueues",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:us-east-1:111222333444:someq*"
],
"Effect": "Allow",
}
]
}
some-role-serv-LogicalID-GDGGGGGBMW2 在 SAM 模板
中分配了权限边界(some-permission-boundary)
Lambda 函数采用以下 SAM 模板语法承担自定义角色:
Role: !GetAtt LogicalID.Arn
部署中,
lambda 是从 EC2 中的 docker 容器创建的(使用 sam deploy),
EC2 承担了额外的角色策略(下方):
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
},
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
此 EC2 政策应该确保任何自定义角色(例如 some-role-serv-LogicalID-GDGGGGGBMW2)不低于 属性:
PermissionsBoundary: !Sub "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary"
不应允许创建角色 some-role-serv-LogicalID-GDGGGGGBMW2
创建堆栈时出现以下错误:
堆栈创建成功但是,
1)
为什么 sam deploy 命令会出现此错误?
2)
EC2 政策是否不允许在没有权限边界 (some-permission-boundary) 的情况下创建自定义角色 (some-role-serv-LogicalID-GDGGGGGBMW2)?不出所料...
错误指出您的 EC2 实例,调用 sam deploy 操作的实体没有执行 iam:GetRolePolicy 的权限,这里确实是这种情况。
问题是,虽然您可以使用此条件限制其他 4 个操作
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
}
您不能为 GetRolePolicy 做同样的事情。该动作不受该条件限制,否则其效果无效。适用于此操作的唯一服务级别条件是 iam:ResourceTag.
如果您转到管理控制台并尝试创建此类 IAM 策略,您会看到此警告是由您的条件与 iam:GetRolePolicy 操作相结合引起的。
This policy defines some actions, resources, or conditions that do not
provide permissions. To grant access, policies must have an action
that has an applicable resource or condition.
解决方案是将您的语句一分为二。首先在该条件下限制创建没有必要权限边界的 IAM 角色以及除上述 iam:GetRolePolicy 之外的其他 IAM 操作。然后你应该创建第二个语句只包含 iam:GetRolePolicy 而没有那个条件。
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
},
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
和
{
"Action": [
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
然后回答你的第二个问题。是的,您可以将 iam:PermissionsBoundary 条件键与 iam:CreateRole 一起使用,以防止创建没有特定权限边界的角色。
以下是为使用 SAM 模板编写的 lambda 函数(AWS::Serverless::Function) 创建的自定义执行角色(some-role-serv-LogicalID-GDGGGGGBMW2):
{
"permissionsBoundary": {
"permissionsBoundaryArn": "arn:aws:iam::111222333444:policy/some-permission-boundary",
"permissionsBoundaryType": "Policy"
},
"roleName": “some-role-serv-LogicalID-GDGGGGGBMW2”,
"policies": [
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-east-1:111222333444:someq*",
"Effect": "Allow"
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:111222333444:log-group:*",
"Effect": "Allow"
}
]
},
"name": "lambda-policy",
"type": "inline"
}
],
"trustedEntities": [
"lambda.amazonaws.com"
]
}
其中 some-permission-boundary 是:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111222333444:log-group:*"
],
"Effect": "Allow",
},
{
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:ListDeadLetterSourceQueues",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Resource": [
"arn:aws:sqs:us-east-1:111222333444:someq*"
],
"Effect": "Allow",
}
]
}
some-role-serv-LogicalID-GDGGGGGBMW2 在 SAM 模板
some-permission-boundary)
Lambda 函数采用以下 SAM 模板语法承担自定义角色:
Role: !GetAtt LogicalID.Arn
部署中,
lambda 是从 EC2 中的 docker 容器创建的(使用 sam deploy),
EC2 承担了额外的角色策略(下方):
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
},
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
此 EC2 政策应该确保任何自定义角色(例如 some-role-serv-LogicalID-GDGGGGGBMW2)不低于 属性:
PermissionsBoundary: !Sub "arn:aws:iam::${AWS::AccountId}:policy/some-permission-boundary"
不应允许创建角色 some-role-serv-LogicalID-GDGGGGGBMW2
创建堆栈时出现以下错误:
堆栈创建成功但是,
1)
为什么 sam deploy 命令会出现此错误?
2)
EC2 政策是否不允许在没有权限边界 (some-permission-boundary) 的情况下创建自定义角色 (some-role-serv-LogicalID-GDGGGGGBMW2)?不出所料...
错误指出您的 EC2 实例,调用 sam deploy 操作的实体没有执行 iam:GetRolePolicy 的权限,这里确实是这种情况。
问题是,虽然您可以使用此条件限制其他 4 个操作
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
}
您不能为 GetRolePolicy 做同样的事情。该动作不受该条件限制,否则其效果无效。适用于此操作的唯一服务级别条件是 iam:ResourceTag.
如果您转到管理控制台并尝试创建此类 IAM 策略,您会看到此警告是由您的条件与 iam:GetRolePolicy 操作相结合引起的。
This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.
解决方案是将您的语句一分为二。首先在该条件下限制创建没有必要权限边界的 IAM 角色以及除上述 iam:GetRolePolicy 之外的其他 IAM 操作。然后你应该创建第二个语句只包含 iam:GetRolePolicy 而没有那个条件。
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
}
},
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
和
{
"Action": [
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::111222333444:role/some-role*"
],
"Effect": "Allow"
}
然后回答你的第二个问题。是的,您可以将 iam:PermissionsBoundary 条件键与 iam:CreateRole 一起使用,以防止创建没有特定权限边界的角色。