我正在尝试通过 AWS 命令在 aws 中创建 lambda 函数。当我执行命令时,出现以下错误。但是我在 AWS 命令中提到的角色有足够的权限来部署 lambda 函数。即使角色有权限,我也不确定出了什么问题。
命令:
aws lambda create-function --function-name ukmon-appd-disabled-
health-rules --runtime python3.7 --zip-file
fileb://bin/disabled_health_rules.zip --handler index.handler --timeout 10 -
-memory-size 1024 --role arn:aws:iam::99999999999:role/crossaccount
政策:
"AllowLambdaFunctionStack": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"Description": "Policy for allowing jenkins cross account service role to create, update, delete lambda functions.",
"Path": "/",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction",
"lambda:ListFunctions",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:CreateAlias",
"lambda:DeleteAlias",
"lambda:GetAlias",
"lambda:ListAliases",
"lambda:UpdateAlias",
"lambda:GetPolicy",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:CreateEventSourceMapping",
"lambda:GetEventSourceMapping",
"lambda:ListEventSourceMappings",
"lambda:DeleteEventSourceMapping",
"lambda:UpdateEventSourceMapping",
"lambda:TagResource",
"lambda:ListTags",
"lambda:UntagResource"
],
"Effect": "Allow",
"Resource": "arn:aws:lambda:eu-west-1:999999999999:function:crossaccount-*",
"Sid": "AllowLambdaFuctionsStacks"
}
]
},
错误:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: User: arn:aws:sts::999999999999:assumed-role/crossaccount/i-0d2dd689c2784f174 is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:eu-west-1:999999999999:function:ukmon-appd-disabled-health-rules
提前致谢。
最佳答案
我遇到了相同或非常相似的问题。
问题
我的 CodeBuild 构建运行良好,直到进行新更改后我收到此错误。
Error: error creating Lambda Function (1): AccessDeniedException:
status code: 403, request id: 31ea35dd-7c9f-4911-94ef-7c8eaae58b66
with module.app.module.lambda.aws_lambda_function.this,
on ../../../libraries/zip_lambda/main.tf line 22,
in resource "aws_lambda_function" "this":
之前的构建进展顺利,显然引入此 lambda 破坏了构建。
第 1 步 - 检查地形图
# module.app.module.lambda.aws_lambda_function.this will be created
+ resource "aws_lambda_function" "this" {
+ arn = (known after apply)
+ filename = "../../../libraries/zip_lambda/../../../out/lambdas/some-name.zip"
+ function_name = "some-name"
+ handler = "some-lambda-package/handler/handler.handler"
+ package_type = "Zip"
+ role = "arn:aws:iam::111122223333:role/LambdaExecution-some-lambda"
+ runtime = "python3.9"
...
...
+ vpc_config {
+ security_group_ids = [
+ "sg-some-sg-id",
]
+ subnet_ids = [
+ "subnet-some-subnet-1-id",
+ "subnet-some-subnet-2-id",
]
+ vpc_id = (known after apply)
}
}
关键是要意识到这个 lambda 正试图添加一个 VPC 配置。
所以我搜索了lambda in vpc security group permission
第一个链接将我带到 AWS 的文档:Lambda's VPC Configuration . 那就是 AWS Docs > Lambda > Managing Functions > Networking > Execution role and user permissions
When you configure VPC connectivity, Lambda uses your permissions to verify network resources. To configure a function to connect to a VPC, your AWS Identity and Access Management (IAM) user needs the following permissions:
User permissions
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
解决方案
将这些权限添加到 CodeBuild 假定构建和部署 Terraform 中描述的基础设施的角色。
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
注意
重要的是要注意 AccessDeniedException 这是因为部署的服务或用户缺乏足够的权限。这与分配给 Lambda 角色的权限无关。
我的 lambda role/LambdaExecution-some-lambda 使用的 IAM 角色几乎是 AWS Lambda's Developer Guide documentation 中的角色
策略权限
permissions = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"]
担任角色政策
data "aws_iam_policy_document" "assume_role_policy" {
statement {
sid = "LambdaRole"
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
关于amazon-web-services - 部署 lambda 函数时出现 AccessDeniedException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55027952/