如何使用 .yaml 文件将策略添加到 AWS Lambda 函数?
How to add Policies to AWS Lambda function using the .yaml file?
我正在使用 AWS Lambda、API Gateway、RDS (MySQL) 开发 REST API。我正在使用 aws-sam 工具构建、配置并将我的作品发布到云。
请检查我现在正在使用的下面template.yaml文件。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
但是,为了使我的 lambda 函数能够找到数据库,我必须从 AWS Web 控制台启用一些策略。我跟着这个 link - https://ao.ms/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/
下面是我在 AWS Web 控制台中为我的 Lambda 函数创建的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}
但是我无法在 Web 控制台中从一个功能到另一个功能执行此操作。我需要在 yaml 文件中完成这项工作。
使用上面提供的 yaml 文件,如何将这些权限赋予我的 Lambda 函数?
------------更新----------------
根据 Gaurauv 的评论,我对 yaml 文件进行了以下更改。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
Role: !GetAtt LambdaRole.Arn
LambdaRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: 'ec2-access-policy'
PolicyDocument:
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
但是部署失败,产生了以下错误。
CREATE_FAILED AWS::IAM::Role LambdaRole Property AssumeRolePolicyDocument
cannot be empty.
您可以使用内联策略将角色附加到 lambda 函数。像这样
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
Role: !GetAtt LambdaRole.Arn
LambdaRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: 's3-access-policy'
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetBucketLocation
- s3:GetBucketCORS
- s3:GetObjectVersionForReplication
- s3:GetObject
- s3:GetBucketTagging
- s3:GetObjectVersion
- s3:GetObjectTagging
- s3:ListMultipartUploadParts
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
- s3:PutObjectTagging
- s3:DeleteObject
Resource: '*'
根据 IAM::Role 资源,创建角色时需要一个 AssumeRolePolicyDocument。此 属性 管理与此角色关联的信任策略。信任策略定义哪些实体可以承担该角色。您只能将一个信任策略与一个角色相关联。
请为您的用例查找更新的角色资源
AWSTemplateFormatVersion: "2010-09-09"
Resources:
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
我正在使用 AWS Lambda、API Gateway、RDS (MySQL) 开发 REST API。我正在使用 aws-sam 工具构建、配置并将我的作品发布到云。
请检查我现在正在使用的下面template.yaml文件。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
但是,为了使我的 lambda 函数能够找到数据库,我必须从 AWS Web 控制台启用一些策略。我跟着这个 link - https://ao.ms/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/
下面是我在 AWS Web 控制台中为我的 Lambda 函数创建的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:AttachNetworkInterface"
],
"Resource": "*"
}
]
}
但是我无法在 Web 控制台中从一个功能到另一个功能执行此操作。我需要在 yaml 文件中完成这项工作。
使用上面提供的 yaml 文件,如何将这些权限赋予我的 Lambda 函数?
------------更新----------------
根据 Gaurauv 的评论,我对 yaml 文件进行了以下更改。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
Role: !GetAtt LambdaRole.Arn
LambdaRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: 'ec2-access-policy'
PolicyDocument:
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
但是部署失败,产生了以下错误。
CREATE_FAILED AWS::IAM::Role LambdaRole Property AssumeRolePolicyDocument
cannot be empty.
您可以使用内联策略将角色附加到 lambda 函数。像这样
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
aaaa-restapi
Sample SAM Template for aaaa-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 100
Resources:
GetAllAccountTypesLambda:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: aaaa-restapi
Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
Runtime: java11
MemorySize: 1024
Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accounttype
Method: get
Role: !GetAtt LambdaRole.Arn
LambdaRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
Policies:
- PolicyName: 's3-access-policy'
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetBucketLocation
- s3:GetBucketCORS
- s3:GetObjectVersionForReplication
- s3:GetObject
- s3:GetBucketTagging
- s3:GetObjectVersion
- s3:GetObjectTagging
- s3:ListMultipartUploadParts
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutObject
- s3:PutObjectTagging
- s3:DeleteObject
Resource: '*'
根据 IAM::Role 资源,创建角色时需要一个 AssumeRolePolicyDocument。此 属性 管理与此角色关联的信任策略。信任策略定义哪些实体可以承担该角色。您只能将一个信任策略与一个角色相关联。
请为您的用例查找更新的角色资源
AWSTemplateFormatVersion: "2010-09-09"
Resources:
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'