我在 TerraForm 中有以下 lambda 函数配置:
resource "aws_lambda_function" "test_lambda" {
# filename = "crawler/dist/deploy.zip"
s3_bucket = "${var.s3-bucket}"
s3_key = "${aws_s3_bucket_object.file_upload.key}"
# source_code_hash = "${filebase64sha256("file.zip")}"
function_name = "quote-crawler"
role = "arn:aws:iam::773592622512:role/LambdaRole"
handler = "handler.handler"
source_code_hash = "${data.archive_file.zipit.output_base64sha256}"
runtime = "${var.runtime}"
timeout = 180
environment {
variables = {
foo = "bar"
}
}
}
当我运行 lambda 时,当它尝试将文件上传到 s3 存储桶时,出现错误"errorMessage": "调用 PutObject 操作时发生错误 (AccessDenied):访问被拒绝",。看来lambda函数没有访问s3的权限。 TerraForm 文档不清楚如何配置它们。权限配置面板也不会出现在 lambda 控制台上。似乎由 TerraForm 创建的 lambda 可供我使用的配置有限。那么如何向 lambda 授予 s3 权限呢?
最佳答案
为了方便起见,您可以通过三个步骤来完成此操作,
- 创建角色
- 创建政策
- 为角色附加策略
- 将角色附加到 lambda
创建角色。
resource "aws_iam_role" "role" {
name = "${var.env_prefix_name}-alb-logs-to-elk"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
创建指定访问 s3 的策略
#Created Policy for IAM Role
resource "aws_iam_policy" "policy" {
name = "${var.env_prefix_name}-test-policy"
description = "A test policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
}
]
}
EOF
}
附加的 IAM 角色和新创建的策略
resource "aws_iam_role_policy_attachment" "test-attach" {
role = "${aws_iam_role.role.name}"
policy_arn = "${aws_iam_policy.policy.arn}"
}
现在将角色附加到 Lamba 源
resource "aws_lambda_function" "test_lambda" {
# filename = "crawler/dist/deploy.zip"
s3_bucket = "${var.s3-bucket}"
s3_key = "${aws_s3_bucket_object.file_upload.key}"
# source_code_hash = "${filebase64sha256("file.zip")}"
function_name = "quote-crawler"
role = "${aws_iam_role.role.arn}"
handler = "handler.handler"
source_code_hash = "${data.archive_file.zipit.output_base64sha256}"
runtime = "${var.runtime}"
timeout = 180
environment {
variables = {
foo = "bar"
}
}
}
关于amazon-s3 - 如何授予 lambda 权限将文件上传到 `terraform` 中的 s3 存储桶?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57145353/