我是 CDK 新手,我想使用 CDK 创建简单的 lamda 函数。cdk 合成器没有给出错误,但是当我运行 cdk deploy --profile myprofile 时出现此错误
Resource handler returned message: "User: arn:aws:sts::xxxxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:ap-south-1:xxxxx:function:ApiLamdaStack-helloLamda938CC02A-jS7q9y9UlOUa because no identity-based policy allows the lambda:CreateFunction action (Service: Lambda, Status Code: 403, Request ID: 61895893-bf12-48bf-a51a-dbcf11fc17d8)" (RequestToken: 0e3ec851-6bd2-9ef3-751c-a3a947a72668, HandlerErrorCode: AccessDenied)
这是源代码
bin/api_lamda.ts
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { ApiLamdaStack } from '../lib/api_lamda-stack';
const app = new cdk.App();
new ApiLamdaStack(app, 'ApiLamdaStack', {
env: { account: 'xxx', region: 'yyy' },
});
lib\api_lamda-stack.ts
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Code, Function as LamdaFunction, Runtime } from 'aws-cdk-lib/aws-lambda';
import { join } from 'path';
import { Effect, PolicyStatement, CfnPolicy } from 'aws-cdk-lib/aws-iam';
export class ApiLamdaStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new iam.Role(this, 'example-iam-role', {
assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName(
'AWSLambda_FullAccess',
),
],
});
const helloLamda = new LamdaFunction(this, 'helloLamda', {
runtime: Runtime.NODEJS_16_X,
code: Code.fromAsset(join(__dirname, '..', 'services', 'hello')),
handler: 'hello.main'
})
}
}
cdk.json
{
"app": "npx ts-node --prefer-ts-exts bin/apiLamda.ts",
"watch": {
"include": [
"**"
],
"exclude": [
"README.md",
"cdk*.json",
"**/*.d.ts",
"**/*.js",
"tsconfig.json",
"package*.json",
"yarn.lock",
"node_modules",
"test"
]
},
"context": {
"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
"@aws-cdk/core:stackRelativeExports": true,
"@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
"@aws-cdk/aws-lambda:recognizeVersionProps": true,
"@aws-cdk/aws-lambda:recognizeLayerVersion": true,
"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
"@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
"@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
"@aws-cdk/core:checkSecretUsage": true,
"@aws-cdk/aws-iam:minimizePolicies": true,
"@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
"@aws-cdk/core:validateSnapshotRemovalPolicy": true,
"@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
"@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
"@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
"@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
"@aws-cdk/core:enablePartitionLiterals": true,
"@aws-cdk/core:target-partitions": [
"aws",
"aws-cn"
]
}
}
我想做的就是通过 CDK 创建 lamda,有人可以建议我该怎么做吗?
解决方案似乎将角色附加到cloudformation以便能够创建lambda函数,我已经更改了lib\api_lamda-stack.ts请看一下
最佳答案
问题不在你的 cdk 代码中。它表示 cdk 角色 cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation 未获得 lambda:CreateFunction 的授权。
检查您的个人资料权限。
关于amazon-web-services - 无法使用 CDK 创建 AWS Lambda 函数,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/75275516/