lambda 创建事件的权限 events:PutEvents
Permissions for lambda to create event events:PutEvents
我想要一个创建 EventBridge 事件的 lambda,但在调用 lambda 时出现此错误:
User: arn:aws:sts::120293923901:assumed-role/MyApiOrdersPostFunct-I1QOYC7P1R0Z/MyApiOrdersPostFunct-SJtAeYoiaguW is not authorized to perform: events:PutEvents on resource: arn:aws:events:eu-north-1:120293923901:event-bus/MyApiEventBus because no identity-based policy allows the events:PutEvents action
我添加了政策但没有改变。
这是调用 eventbridge 的 lambda。
import { APIGatewayProxyHandler, APIGatewayProxyResult } from 'aws-lambda';
import { EventBridgeClient, PutEventsCommand } from '@aws-sdk/client-eventbridge';
const eventBridge = new EventBridgeClient({ region: 'eu-north-1' });
export const post: APIGatewayProxyHandler = async (): Promise<APIGatewayProxyResult> => {
const event = new PutEventsCommand({
Entries: [{
EventBusName: 'MyApiEventBus',
Source: 'MyApiEventBus.OrderCreated',
DetailType: 'OrderCreated',
Detail: JSON.stringify({ description: 'order has been created' }),
}]
});
eventBridge.send(event);
return {
statusCode: 200,
body: '',
};
};
这是 CDK 配置。有两个策略(attachInlinePolicy,addToRolePolicy)因为我都测试了。
import {
RestApi,
DomainName,
BasePathMapping,
LambdaIntegration,
Model,
} from '@aws-cdk/aws-apigateway';
import { EventBus, Rule } from '@aws-cdk/aws-events';
import { NodejsFunction } from '@aws-cdk/aws-lambda-nodejs';
import { Policy, PolicyStatement } from '@aws-cdk/aws-iam';
const MyApi = new RestApi(this, `RestApi`, {
restApiName: 'My API',
description: 'The My API',
});
// Add an Event Bus
const bus = new EventBus(this, `EventBus`, {
eventBusName: 'MyApiEventBus',
});
// Add API endpoint
const ordersResource = MyApi.root.addResource('orders');
const ordersPostFunction = new NodejsFunction(this, `OrdersPostFunction`, {
entry: './lambda.ts',
handler: 'post',
});
// Allow lambda to create events
ordersPostFunction.addToRolePolicy(
new PolicyStatement({
actions: ['events:PutEvents'],
resources: [bus.eventBusArn],
}),
);
ordersPostFunction.role?.attachInlinePolicy(
new Policy(this, `OrdersPostEventBusPolicy`, {
statements: [
new PolicyStatement({
actions: ['events:PutEvents'],
resources: [bus.eventBusArn],
}),
],
}),
);
// Role to allow for creating event (not working?)
bus.grantPutEventsTo(ordersPostFunction);
Lambda 角色文档
{
"sdkResponseMetadata": null,
"sdkHttpMetadata": null,
"partial": false,
"permissionsBoundary": null,
"policies": [
{
"arn": null,
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "events:PutEvents",
"Resource": "arn:aws:events:eu-west-1:120293923901:event-bus/MyApiEventBus",
"Effect": "Allow"
}
]
},
"id": null,
"name": "MyApiOrdersPostEventBusPolicyACA51C2D",
"type": "inline"
},
{
"arn": null,
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "events:PutEvents",
"Resource": "arn:aws:events:eu-west-1:120293923901:event-bus/MyApiEventBus",
"Effect": "Allow"
}
]
},
"id": null,
"name": "MyApiOrdersPostFunctionServiceRoleDefaultPolicyE7615F17",
"type": "inline"
},
]
}
如生成的策略所示,您的事件总线位于 eu-west-1 区域,但您正在尝试从 eu-north-1 访问它。换个地区就可以了。
EventBridgeClient 的 send 方法是异步的。所以应该是:
await eventBridge.send(event);
否则你不会注意到由此抛出的异常。
我想要一个创建 EventBridge 事件的 lambda,但在调用 lambda 时出现此错误:
User: arn:aws:sts::120293923901:assumed-role/MyApiOrdersPostFunct-I1QOYC7P1R0Z/MyApiOrdersPostFunct-SJtAeYoiaguW is not authorized to perform: events:PutEvents on resource: arn:aws:events:eu-north-1:120293923901:event-bus/MyApiEventBus because no identity-based policy allows the events:PutEvents action
我添加了政策但没有改变。
这是调用 eventbridge 的 lambda。
import { APIGatewayProxyHandler, APIGatewayProxyResult } from 'aws-lambda';
import { EventBridgeClient, PutEventsCommand } from '@aws-sdk/client-eventbridge';
const eventBridge = new EventBridgeClient({ region: 'eu-north-1' });
export const post: APIGatewayProxyHandler = async (): Promise<APIGatewayProxyResult> => {
const event = new PutEventsCommand({
Entries: [{
EventBusName: 'MyApiEventBus',
Source: 'MyApiEventBus.OrderCreated',
DetailType: 'OrderCreated',
Detail: JSON.stringify({ description: 'order has been created' }),
}]
});
eventBridge.send(event);
return {
statusCode: 200,
body: '',
};
};
这是 CDK 配置。有两个策略(attachInlinePolicy,addToRolePolicy)因为我都测试了。
import {
RestApi,
DomainName,
BasePathMapping,
LambdaIntegration,
Model,
} from '@aws-cdk/aws-apigateway';
import { EventBus, Rule } from '@aws-cdk/aws-events';
import { NodejsFunction } from '@aws-cdk/aws-lambda-nodejs';
import { Policy, PolicyStatement } from '@aws-cdk/aws-iam';
const MyApi = new RestApi(this, `RestApi`, {
restApiName: 'My API',
description: 'The My API',
});
// Add an Event Bus
const bus = new EventBus(this, `EventBus`, {
eventBusName: 'MyApiEventBus',
});
// Add API endpoint
const ordersResource = MyApi.root.addResource('orders');
const ordersPostFunction = new NodejsFunction(this, `OrdersPostFunction`, {
entry: './lambda.ts',
handler: 'post',
});
// Allow lambda to create events
ordersPostFunction.addToRolePolicy(
new PolicyStatement({
actions: ['events:PutEvents'],
resources: [bus.eventBusArn],
}),
);
ordersPostFunction.role?.attachInlinePolicy(
new Policy(this, `OrdersPostEventBusPolicy`, {
statements: [
new PolicyStatement({
actions: ['events:PutEvents'],
resources: [bus.eventBusArn],
}),
],
}),
);
// Role to allow for creating event (not working?)
bus.grantPutEventsTo(ordersPostFunction);
Lambda 角色文档
{
"sdkResponseMetadata": null,
"sdkHttpMetadata": null,
"partial": false,
"permissionsBoundary": null,
"policies": [
{
"arn": null,
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "events:PutEvents",
"Resource": "arn:aws:events:eu-west-1:120293923901:event-bus/MyApiEventBus",
"Effect": "Allow"
}
]
},
"id": null,
"name": "MyApiOrdersPostEventBusPolicyACA51C2D",
"type": "inline"
},
{
"arn": null,
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "events:PutEvents",
"Resource": "arn:aws:events:eu-west-1:120293923901:event-bus/MyApiEventBus",
"Effect": "Allow"
}
]
},
"id": null,
"name": "MyApiOrdersPostFunctionServiceRoleDefaultPolicyE7615F17",
"type": "inline"
},
]
}
如生成的策略所示,您的事件总线位于 eu-west-1 区域,但您正在尝试从 eu-north-1 访问它。换个地区就可以了。
EventBridgeClient 的 send 方法是异步的。所以应该是:
await eventBridge.send(event);
否则你不会注意到由此抛出的异常。