在无服务器堆栈上插入 Aws Timestream 时出现访问被拒绝错误
Access Denied Error while inserting into Aws Timestream on Serverless Stack
我正在尝试将记录插入我的 aws 时间流 table。它的获取导致访问被拒绝错误。
这是 serverless.yml
的权限
- Effect: Allow
Action:
- timestream:*
Resource:
- arn:aws:timestream:${self:provider.region}:*:database/*
- arn:aws:timestream:${self:provider.region}:*:database/*/*/*
我是 lambda 的角色详细信息。
{
"Action": [
"timestream:*"
],
"Resource": [
"arn:aws:timestream:us-east-1:*:database/*",
"arn:aws:timestream:us-east-1:*:database/*/*/*"
],
"Effect": "Allow"
},
记录样本
{
"DatabaseName": "developmentreportsdb",
"TableName": "developmenteventstable",
"Records": [
{
"Dimensions": [
{
"Name": "accountId",
"Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
},
{
"Name": "userId",
"Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
}
],
"MeasureName": "ACCOUNT.NEW",
"MeasureValue": "6921e43e-266c-4adf-8a69-d90bd8743d1b",
"MeasureValueType": "VARCHAR",
"Time": "1644234263813",
"TimeUnit": "MILLISECONDS",
"Version": 1
}
]
}
错误详情:
Error writing records: AccessDeniedException: User: arn:aws:sts::344128203239:assumed-role/development-us-east-1-lambdaRole/development-worker is not authorized to perform: timestream:DescribeEndpoints because no identity-based policy allows the timestream:DescribeEndpoints action
TIA。这里缺少什么?
需要描述端点权限才能解析 timestream SDK 必须连接的端点。
读取和写入访问都需要它。
以下策略示例仅允许用户进行读取访问
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "timestream:Select",
"Resource": "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
以下是仅对用户进行写访问所需的最低权限示例
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"timestream:WriteRecords"
],
"Resource": [
"arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
这是一个示例,其中用户具有两种权限(读取 + 写入)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"timestream:WriteRecords",
"timestream:Select"
],
"Resource": [
"arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
我正在尝试将记录插入我的 aws 时间流 table。它的获取导致访问被拒绝错误。
这是 serverless.yml
的权限 - Effect: Allow
Action:
- timestream:*
Resource:
- arn:aws:timestream:${self:provider.region}:*:database/*
- arn:aws:timestream:${self:provider.region}:*:database/*/*/*
我是 lambda 的角色详细信息。
{
"Action": [
"timestream:*"
],
"Resource": [
"arn:aws:timestream:us-east-1:*:database/*",
"arn:aws:timestream:us-east-1:*:database/*/*/*"
],
"Effect": "Allow"
},
记录样本
{
"DatabaseName": "developmentreportsdb",
"TableName": "developmenteventstable",
"Records": [
{
"Dimensions": [
{
"Name": "accountId",
"Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
},
{
"Name": "userId",
"Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
}
],
"MeasureName": "ACCOUNT.NEW",
"MeasureValue": "6921e43e-266c-4adf-8a69-d90bd8743d1b",
"MeasureValueType": "VARCHAR",
"Time": "1644234263813",
"TimeUnit": "MILLISECONDS",
"Version": 1
}
]
}
错误详情:
Error writing records: AccessDeniedException: User: arn:aws:sts::344128203239:assumed-role/development-us-east-1-lambdaRole/development-worker is not authorized to perform: timestream:DescribeEndpoints because no identity-based policy allows the timestream:DescribeEndpoints action
TIA。这里缺少什么?
需要描述端点权限才能解析 timestream SDK 必须连接的端点。 读取和写入访问都需要它。
以下策略示例仅允许用户进行读取访问
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "timestream:Select",
"Resource": "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
以下是仅对用户进行写访问所需的最低权限示例
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"timestream:WriteRecords"
],
"Resource": [
"arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}
这是一个示例,其中用户具有两种权限(读取 + 写入)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"timestream:WriteRecords",
"timestream:Select"
],
"Resource": [
"arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
]}