允许通过 cdk 从 ECS 调用 lambda

Question

从ECS调用lambda时，出现权限错误。

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:sts::678100228XXX:assumed-role/vw-dev-fargate-stack-TaskDefAdminTaskRoleA25A3679-1K9EPRKUW9TNV/21bdeb6c10b14db4b1515986d946959a is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:ap-northeast-1:678100228XXX:function:vw-dev-lambda because no identity-based policy allows the lambda:InvokeFunction action

所以，我想给ECS增加访问lambda的权限。

我在ecs.ts中设置了ecs，在lambda.ts中设置了lambda

我目前的想法是在lambda.ts

中给ecs权限

在我的 ecs.ts

const ecsAdminService = new ecs.FargateService(this, "AdminService", {
  cluster,
  taskDefinition:taskDefinitionAdmin,
  desiredCount: 2,
  vpcSubnets:  {subnetType: ec2.SubnetType.PUBLIC },
  assignPublicIp: true,
  securityGroups:[adminServiceSg],
  enableExecuteCommand:true,
  serviceName: "sw-ecs-my-dx-tokyo-jxc-91"
});

在我的 lambda.ts

const myLambda = new lambda.DockerImageFunction(this, "myLambda", {
  functionName: `vw-${targetEnv}-lambda`,
  vpc:vpc,
  vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
  timeout: cdk.Duration.minutes(1),
  code: lambda.DockerImageCode.fromEcr(myEcrRepo),
  environment:{

  }
});

# I am making here below.
const ecs = "somehow get the ecs here"
myLambda.grantInvoke(ecs) # Something like this.

我说的对吗？？

我遇到了两个问题。

如何获取在另一个文件中定义的 ecs？

如何授予 ecs 调用权限？

或者，我基本上错了吗？

感谢任何帮助。非常感谢。

Answer 1

这很容易通过在堆栈之间传递变量来完成

例如 some-app

// bin/some-app.ts

import * as cdk from 'aws-cdk-lib';
import { SomeEcsStack } from '../lib/ecs';
import { SomeLambdaStack} from '../lib/lambda'

const app = new cdk.App();
const lmb = new SomeLambdaStack(app, 'SomeLambdaStack'); 
new SomeEcsStack(app, 'SomeEcsStack', {
    lambdaFunc: lmb.lambdaFunc
});

制作你的 lambda 函数 public

// lib/lambda.ts
import { Duration, Stack, StackProps } from 'aws-cdk-lib';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import { Construct } from 'constructs';

export class SomeLambdaStack extends Stack {
  public readonly lambdaFunc: lambda.Function;  // <-- making it available
  
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);
    const myLambda = new lambda.DockerImageFunction(this, "myLambda", {
      functionName: `vw-${targetEnv}-lambda`,
      vpc:vpc,
      vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
      timeout: cdk.Duration.minutes(1),
      code: lambda.DockerImageCode.fromEcr(myEcrRepo),
    });

    this.lambdaFunc = myLambda; // <-- making it available
}

授予 ecs 任务定义角色权限以调用

// lib/ecs.ts
import { Duration, Stack, StackProps } from 'aws-cdk-lib';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import { Construct } from 'constructs';

export interface SomeEcsStackProps extends StackProps {
  readonly lambdaFunc: lambda.Function;   // <-- expect lambda to be passed
}
export class SomeEcsStack extends Stack {
  constructor(scope: Construct, id: string, props?: SomeEcsStackProps) {
    super(scope, id, props);

    const ecsAdminService = new ecs.FargateService(this, "AdminService", {
      cluster,
      taskDefinition:taskDefinitionAdmin,
      desiredCount: 2,
      vpcSubnets:  {subnetType: ec2.SubnetType.PUBLIC },
      assignPublicIp: true,
      securityGroups:[adminServiceSg],
      enableExecuteCommand:true,
      serviceName: "sw-ecs-my-dx-tokyo-jxc-91"
    });
    
    props.lambdaFunc.grantInvoke(taskDefinitionAdmin.taskRole)  // <-- Grant permission to task role
}

允许通过 cdk 从 ECS 调用 lambda

Give permission to invoke lambda from ECS by cdk

amazon-web-services

aws-lambda

aws-fargate

aws-cdk