预先注意:我通过 IAM 用户控制台账户执行我的所有 AWS 配置,该账户基本上拥有 AWS/Amazon 账户所有者的所有权限。我将此 IAM 用户称为 根帐户。
问题描述:
仅限编程访问: lambda 测试
正确验证的策略声明如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1111111111111", # <--- Altered for this post.
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:ListFunctions",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": [
"arn:aws:lambda:*"
]
}
]
}
回到笔记本电脑的 CLI,我发出以下命令,它会生成一个 AccessDeniedException:
user@linux$ aws lambda list-functions --profile lambda-test
这是异常(exception):
An error occurred (AccessDeniedException) when calling the ListFunctions operation: User: arn:aws:iam::<AWS-Account-ID>:user/lambda-test is not authorized to perform: lambda:ListFunctions
我错过了什么? (当然我做了。=:))
提前致谢!
最佳答案
您可以将两种类型的访问策略用于 AWS lambda:
1) 基于身份的策略(IAM 策略)
您正在使用的是 IAM 策略。如果您阅读本文 AWS lambda access control overview documentation ,当您使用基于 IAM 的访问时,现在 AWS 仅支持 * 作为资源。因为“lambda:ListFunctions”不能用完整的 ARN 调用(引用 this documentation 可以用完整的 arn 调用,哪些可以用 * 调用),你需要给 *。
In the current implementation, Lambda doesn't support identifying specific resources using the resource ARNs (also referred to as resource-level permissions) for some of the API actions, so you must specify a wildcard character (*).
2) 基于资源的策略(Lambda 函数策略)
Each Lambda function can have resource-based permissions policies associated with it. For Lambda, a Lambda function is the primary resource and these policies are referred to as Lambda function policies. You can use a Lambda function policy to grant cross-account permissions as an alternative to using identity-based policies with IAM roles. For example, you can grant Amazon S3 permissions to invoke your Lambda function by simply adding permissions to the Lambda function policy instead of creating an IAM role.
更多 examples are here
关于amazon-web-services - IAM 用户上 lambda ListFunctions 的 AWS AccessDeniedException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43986734/