AWS Lambda 部署 - AccessDeniedException
AWS Lambda Deployment - AccessDeniedException
我已经部署了一个使用 dynamodb 的 aws lambda 应用程序,但是当我 运行 lambda 函数时,我收到以下错误
START RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35 Version: $LATEST
2021-12-20T06:32:08.533Z 325ce8ea-ed86-404c-8756-ee46dbefae35 ERROR query-error: AccessDeniedException: User: arn:aws:sts::579450367668:assumed-role/lead-management-app-dev-eu-west-1-lambdaRole/lead-management-app-dev-submitLeadForm is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index
END RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35
REPORT RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35 Duration: 14.83 ms Billed Duration: 15 ms Memory Size: 1024 MB Max Memory Used: 81 MB
我该如何解决这个问题?
我在下面附上我的 serverless.ts
/* eslint no-use-before-define: 0 */
import type { AWS } from "@serverless/typescript";
// DynamoDB
import dynamoDbTables from "./resources/dynamodb-tables";
// Functions
import functions from "./resources/functions";
const serverlessConfiguration: AWS = {
service: "lead-management-app",
frameworkVersion: "2",
custom: {
region: "${opt:region, self:provider.region}",
stage: "${opt:stage, self:provider.stage}",
prefix: "${self:service}-${self:custom.stage}",
lead_table: "${self:service}-leads-${opt:stage, self:provider.stage}",
interest_table:
"${self:service}-interests-${opt:stage, self:provider.stage}",
table_throughputs: {
prod: 5,
default: 1,
},
table_throughput:
"${self:custom.table_throughputs.${self:custom.stage}, self:custom.table_throughputs.default}",
dynamodb: {
stages: ["dev"],
start: {
port: 8008,
inMemory: true,
heapInitial: "200m",
heapMax: "1g",
migrate: true,
seed: true,
convertEmptyValues: true,
// Uncomment only if you already have a DynamoDB running locally
// noStart: true
},
},
["serverless-offline"]: {
httpPort: 3000,
babelOptions: {
presets: ["env"],
},
},
profile: {
prod: "prodAccount",
dev: "devAccount",
},
},
plugins: [
"serverless-bundle",
"serverless-dynamodb-local",
"serverless-offline",
"serverless-dotenv-plugin",
],
provider: {
name: "aws",
runtime: "nodejs14.x",
stage: "dev",
region: "ap-south-1",
apiGateway: {
minimumCompressionSize: 1024,
shouldStartNameWithService: true,
},
environment: {
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1",
NODE_OPTIONS: "--enable-source-maps --stack-trace-limit=1000",
REGION: "${self:custom.region}",
STAGE: "${self:custom.stage}",
LEADS_TABLE: "${self:custom.lead_table}",
INTERESTS_TABLE: "${self:custom.interest_table}",
},
iamRoleStatements: [
{
Effect: "Allow",
Action: [
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
],
Resource: [
{ "Fn::GetAtt": ["LeadsTable", "Arn"] },
{ "Fn::GetAtt": ["InterestsTable", "Arn"] },
],
},
],
profile: "${self:custom.profile.${self:custom.stage}}",
lambdaHashingVersion: "20201221",
},
// import the function via paths
functions,
package: { individually: true },
resources: {
Resources: dynamoDbTables,
},
};
module.exports = serverlessConfiguration;
这可以通过应用程序解决吗,还是我应该从 aws 控制台授予许可?
有没有我应该授予的推荐权限列表?
您的 lambda 函数承担的角色没有访问 Dynamo Db 所需的权限table。要解决此问题,您需要将适当的策略附加到您的 lambda 函数角色。
This 页面包含授予 Read/Write 访问您的 lambda 函数的策略。
您需要将以下权限(至少,可能更多)附加到角色 lead-management-app-dev-eu-west-1-lambdaRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index",
"Effect": "Allow"
}
]
}
如果您在 AWS 控制台中执行此操作,您可以在 Permissions/Configuration 中找到 Lambda 函数的执行角色。
我已经部署了一个使用 dynamodb 的 aws lambda 应用程序,但是当我 运行 lambda 函数时,我收到以下错误
START RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35 Version: $LATEST
2021-12-20T06:32:08.533Z 325ce8ea-ed86-404c-8756-ee46dbefae35 ERROR query-error: AccessDeniedException: User: arn:aws:sts::579450367668:assumed-role/lead-management-app-dev-eu-west-1-lambdaRole/lead-management-app-dev-submitLeadForm is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index
END RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35
REPORT RequestId: 325ce8ea-ed86-404c-8756-ee46dbefae35 Duration: 14.83 ms Billed Duration: 15 ms Memory Size: 1024 MB Max Memory Used: 81 MB
我该如何解决这个问题?
我在下面附上我的 serverless.ts
/* eslint no-use-before-define: 0 */
import type { AWS } from "@serverless/typescript";
// DynamoDB
import dynamoDbTables from "./resources/dynamodb-tables";
// Functions
import functions from "./resources/functions";
const serverlessConfiguration: AWS = {
service: "lead-management-app",
frameworkVersion: "2",
custom: {
region: "${opt:region, self:provider.region}",
stage: "${opt:stage, self:provider.stage}",
prefix: "${self:service}-${self:custom.stage}",
lead_table: "${self:service}-leads-${opt:stage, self:provider.stage}",
interest_table:
"${self:service}-interests-${opt:stage, self:provider.stage}",
table_throughputs: {
prod: 5,
default: 1,
},
table_throughput:
"${self:custom.table_throughputs.${self:custom.stage}, self:custom.table_throughputs.default}",
dynamodb: {
stages: ["dev"],
start: {
port: 8008,
inMemory: true,
heapInitial: "200m",
heapMax: "1g",
migrate: true,
seed: true,
convertEmptyValues: true,
// Uncomment only if you already have a DynamoDB running locally
// noStart: true
},
},
["serverless-offline"]: {
httpPort: 3000,
babelOptions: {
presets: ["env"],
},
},
profile: {
prod: "prodAccount",
dev: "devAccount",
},
},
plugins: [
"serverless-bundle",
"serverless-dynamodb-local",
"serverless-offline",
"serverless-dotenv-plugin",
],
provider: {
name: "aws",
runtime: "nodejs14.x",
stage: "dev",
region: "ap-south-1",
apiGateway: {
minimumCompressionSize: 1024,
shouldStartNameWithService: true,
},
environment: {
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1",
NODE_OPTIONS: "--enable-source-maps --stack-trace-limit=1000",
REGION: "${self:custom.region}",
STAGE: "${self:custom.stage}",
LEADS_TABLE: "${self:custom.lead_table}",
INTERESTS_TABLE: "${self:custom.interest_table}",
},
iamRoleStatements: [
{
Effect: "Allow",
Action: [
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
],
Resource: [
{ "Fn::GetAtt": ["LeadsTable", "Arn"] },
{ "Fn::GetAtt": ["InterestsTable", "Arn"] },
],
},
],
profile: "${self:custom.profile.${self:custom.stage}}",
lambdaHashingVersion: "20201221",
},
// import the function via paths
functions,
package: { individually: true },
resources: {
Resources: dynamoDbTables,
},
};
module.exports = serverlessConfiguration;
这可以通过应用程序解决吗,还是我应该从 aws 控制台授予许可?
有没有我应该授予的推荐权限列表?
您的 lambda 函数承担的角色没有访问 Dynamo Db 所需的权限table。要解决此问题,您需要将适当的策略附加到您的 lambda 函数角色。
This 页面包含授予 Read/Write 访问您的 lambda 函数的策略。
您需要将以下权限(至少,可能更多)附加到角色 lead-management-app-dev-eu-west-1-lambdaRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:eu-west-1:579450367668:table/lead-management-app-leads-dev/index/emai_index",
"Effect": "Allow"
}
]
}
如果您在 AWS 控制台中执行此操作,您可以在 Permissions/Configuration 中找到 Lambda 函数的执行角色。