我觉得这个问题已经被问到了很多,但从目前的答案来看,没有什么对我有用。
我正在尝试使用无服务器部署应用程序。我的 serverless.yml是:
app: product-events-api
service: product-events
custom:
secrets: ${ssm:/aws/reference/secretsmanager/serverless-product-events-${self:provider.stage}~true, ''}
provider:
name: aws
runtime: nodejs10.x
region: eu-west-1
stage: ${opt:stage, 'preview'}
timeout: 30
# Role ARN must adhere to the RegEx: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+
role: arn:aws:iam::${self:custom.secrets.AWS_ACCOUNT_ID}:role/${self:custom.secrets.IAM_ROLE_NAME}
vpc: ${self:custom.secrets.vpc}
environment:
STAGE: ${self:provider.stage}
NODE_ENV: production
DB_NAME: ${self:custom.secrets.DB_NAME}
DB_URL: ${self:custom.secrets.DB_URL}
functions:
getProductEvents:
handler: src/routes/api/handler.events
memorySize: 1024
description: Get product event
events:
- http:
path: /events
method: get
role评估为 arn:aws:iam::<Account ID>:role/lambda_basic_execution 的绝对 ARN .运行
sls deploy --stage production给了我错误:An error occurred: GetProductEventsLambdaFunction - The role defined for the function cannot be assumed by Lambda. (Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: 4750b33e-329c-4383-abd4-a61ec4d326b2).
我们拥有的几乎每个 lambda 都使用这个 IAM 角色。我转向这个答案试图定义
role只是在函数级别的名称,但得到:The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource lamba_basic_execution
如果我跑;
aws iam get-role --role-name lambda_basic_execution ,我返回:{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
},
"MaxSessionDuration": 3600,
"RoleId": "<Role ID>",
"CreateDate": "2015-10-13T15:06:34Z",
"RoleName": "lambda_basic_execution",
"Path": "/",
"Arn": "arn:aws:iam::<Account ID>:role/lambda_basic_execution"
}
}
如果我删除声明
role从模板,部署工作,然后我可以通过控制台手动添加角色。我想这是一个无服务器问题。
最佳答案
正如您提到的,您几乎没有使用相同 IAM 角色的 lambda,我建议您创建一个 IAM 角色作为 serverless.yml 脚本的一部分。这种方法的好处是您可以根据 future 的需要轻松添加或删除任何权限。你可以做类似的事情
YourIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- # Any permission you want to add, For an example I am adding S3
PolicyName: "resources_access"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "s3:Get*"
Resource: !Join
- ''
- - "arn:aws:s3:::"
- !Ref YourParameteredBucketName
完成此操作后,您可以将此角色分配给您的功能,如下所示:
Role: !GetAtt YourIAMRole.Arn
关于amazon-web-services - 无服务器部署 lambda 无法承担现有 IAM 角色,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59030455/