为 aws lambda 提供创建和删除警报的必要权限
give an aws lambad the necessary permissions to create and delete alarms
我如何为 cloudformation 模板中的 aws lambda 提供必要的权限以允许它管理警报(创建/删除)它们,我正在努力理解这些策略及其工作原理
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
{
'Version': '2012-10-17',
'Statement':
[
{
'Effect': 'Allow',
'Principal': { 'Service': ['lambda.amazonaws.com'] },
'Action': ['sts:AssumeRole'],
},
],
}
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
- 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess'
- 'arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
Lambda:
Type: 'AWS::Lambda::Function'
Properties:
PackageType: Zip
Handler: index.handler
Runtime: nodejs12.x
MemorySize: 512
Timeout: 30
Role:
Fn::GetAtt:
- Role
- Arn
Code:
ZipFile: |
const AWS = require('aws-sdk')
AWS.config.update({region: 'us-east-2'});
const cw = new AWS.CloudWatch({apiVersion: '2010-08-01'});
//
您可以分配 CloudWatchFullAccess 策略 (arn:aws:iam::aws:policy/CloudWatchFullAccess),但这可能会提供过多的访问权限。
如果您愿意编写自己的政策,您可以授予:
cloudwatch:PutMetricAlarmcloduwatch:DeleteAlarms
详情见:Actions, resources, and condition keys for Amazon CloudWatch - Service Authorization Reference
我如何为 cloudformation 模板中的 aws lambda 提供必要的权限以允许它管理警报(创建/删除)它们,我正在努力理解这些策略及其工作原理
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
{
'Version': '2012-10-17',
'Statement':
[
{
'Effect': 'Allow',
'Principal': { 'Service': ['lambda.amazonaws.com'] },
'Action': ['sts:AssumeRole'],
},
],
}
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
- 'arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess'
- 'arn:aws:iam::aws:policy/AWSLambdaReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
Lambda:
Type: 'AWS::Lambda::Function'
Properties:
PackageType: Zip
Handler: index.handler
Runtime: nodejs12.x
MemorySize: 512
Timeout: 30
Role:
Fn::GetAtt:
- Role
- Arn
Code:
ZipFile: |
const AWS = require('aws-sdk')
AWS.config.update({region: 'us-east-2'});
const cw = new AWS.CloudWatch({apiVersion: '2010-08-01'});
//
您可以分配 CloudWatchFullAccess 策略 (arn:aws:iam::aws:policy/CloudWatchFullAccess),但这可能会提供过多的访问权限。
如果您愿意编写自己的政策,您可以授予:
cloudwatch:PutMetricAlarmcloduwatch:DeleteAlarms
详情见:Actions, resources, and condition keys for Amazon CloudWatch - Service Authorization Reference