对 AWS Lambda 执行无服务器部署的 IAM 用户需要哪些策略?
What are the required policies for a IAM user that does a Serverless deployment to AWS Lambda?
我试图从一个受限角色的用户那里做一个简单的部署——根本没有外部资源——我花了三个小时来研究 IAM,最终授予“受限”用户以下策略:
- AWSCloudFormationFullAccess
- AWSCodeDeployRoleForLambda
- AWSLambdaFullAccess
- AmazonAPIGatewayInvokeFullAccess
- IAMFullAccess
而我仍然得到
error occurred: ApiGatewayRestApi - User: arn:aws:iam::265913673281:user/test-deploy-user is not authorized to perform: apigateway:POST on resource: arn:aws:apigateway:us-west-2::/restapis (Service: AmazonApiGateway; Status Code: 403; Error Code: AccessDeniedException; Request ID: 09dd8d6f-3160-46ee-8220-c6053dca9f02; Proxy: null).
那时,我放弃并使用了 root 权限。
但这不可扩展。必须有一种方法可以实际做到这一点(更重要的是,除了反复试验之外的其他方法)。
(如果有帮助,我正在尝试部署 this example. It didn’t work at all — shocking I know — until I modified it as detailed here。说真的,Amazon,有必要这么难吗?)
更新:
评论者写道:
Are you deploying from the terminal or code build?
航站楼。
what does your server less.yml file look like?
serverless.yaml是:
# serverless.yml
useDotenv: true
service: apollo-lambda
provider:
name: aws
runtime: nodejs12.x
region: us-west-2
deploymentBucket:
name: mysys-deployment-bucket
serverSideEncryption: AES256
apiGateway:
shouldStartNameWithService: true
functions:
graphql:
handler: build/graphql/lambda.graphqlHandler
events:
- http:
path: graphql
method: post
cors: true
- http:
path: graphql
method: get
cors: true
plugins:
- serverless-deployment-bucket
do you have your access key set up locally?
我愿意。
this isn't too hard at all once you got it wired up correctly. –
你是说,一旦你完成了不可能的事情,它一点也不难。
显然,除了困难的部分外,一切都很容易。珠穆朗玛峰?去机场很方便!脑部手术?给病人剃头很容易,给保险开账单也很简单...
Atul Sharma 写道:
Just attach AmazonAPIGatewayAdministrator policy
这完全奏效了。
我试图从一个受限角色的用户那里做一个简单的部署——根本没有外部资源——我花了三个小时来研究 IAM,最终授予“受限”用户以下策略:
- AWSCloudFormationFullAccess
- AWSCodeDeployRoleForLambda
- AWSLambdaFullAccess
- AmazonAPIGatewayInvokeFullAccess
- IAMFullAccess
而我仍然得到
error occurred: ApiGatewayRestApi - User: arn:aws:iam::265913673281:user/test-deploy-user is not authorized to perform: apigateway:POST on resource: arn:aws:apigateway:us-west-2::/restapis (Service: AmazonApiGateway; Status Code: 403; Error Code: AccessDeniedException; Request ID: 09dd8d6f-3160-46ee-8220-c6053dca9f02; Proxy: null).
那时,我放弃并使用了 root 权限。
但这不可扩展。必须有一种方法可以实际做到这一点(更重要的是,除了反复试验之外的其他方法)。
(如果有帮助,我正在尝试部署 this example. It didn’t work at all — shocking I know — until I modified it as detailed here。说真的,Amazon,有必要这么难吗?)
更新:
评论者写道:
Are you deploying from the terminal or code build?
航站楼。
what does your server less.yml file look like?
serverless.yaml是:
# serverless.yml
useDotenv: true
service: apollo-lambda
provider:
name: aws
runtime: nodejs12.x
region: us-west-2
deploymentBucket:
name: mysys-deployment-bucket
serverSideEncryption: AES256
apiGateway:
shouldStartNameWithService: true
functions:
graphql:
handler: build/graphql/lambda.graphqlHandler
events:
- http:
path: graphql
method: post
cors: true
- http:
path: graphql
method: get
cors: true
plugins:
- serverless-deployment-bucket
do you have your access key set up locally?
我愿意。
this isn't too hard at all once you got it wired up correctly. –
你是说,一旦你完成了不可能的事情,它一点也不难。
显然,除了困难的部分外,一切都很容易。珠穆朗玛峰?去机场很方便!脑部手术?给病人剃头很容易,给保险开账单也很简单...
Atul Sharma 写道:
Just attach AmazonAPIGatewayAdministrator policy
这完全奏效了。