我收到此错误:Error: Error creating Lambda function: InvalidParameterValueException: The provided execution role does not have permissions to call CreateNetworkInterface on EC2
当尝试使用自定义 Lambda 角色创建具有 IAM 权限的 lambda 时,如下所示:
...
statement {
sid = "MyCustomLamdaStatementDescribe"
actions = [
"ec2:DescribeNetworkInterfaces",
]
resources = ["*"]
}
statement {
sid = "MyCustomLamdaStatementCreateDelete"
actions = [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:DescribeVpcs"
]
resources = [
"*"
]
condition {
test = "ArnEquals"
variable = "ec2:vpc"
values = [
"arn:aws:ec2:${var.my_region}:${var.my_account_id}:vpc/${var.my_vpc_id}",
]
}
}
...
创建 lambda 可以在没有任何条件的情况下完美运行(如 AWS Lambda:The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2 中指出的),但我需要该角色能够匹配 VPC(或 ec2:Subnet
arn)。
注意:我用ArnEquals
尝试了condition.test和StringEquals
.
最佳答案
如果您想将此限制为仅一个 VPC,则必须拆分每个操作。
ec2:DescribeNetworkInterfaces
只能与 Resource: *
一起使用且无条件(请参阅 docs )。但这本身是相对无害的。其他的可以限制。
这是一个采用 YAML (CloudFormation) 格式的解决方案。 它并不完美。 特别是,我不知道如何限制资源或对 ec2:DeleteNetworkInterface 应用条件。当我尝试时,我得到了同样的错误。
- Effect: Allow
Action:
- 'ec2:CreateNetworkInterface'
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${SecGrp}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetA}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetB}'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:subnet/${SubnetC}'
Condition:
StringEquals:
'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
- Effect: Allow
Action:
- 'ec2:CreateNetworkInterface'
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
# VPC condition not supported for this type of resource for this action
- Effect: Allow
Action:
- 'ec2:DeleteNetworkInterface'
Resource:
# I don't know why we need the first
# the docs say the second is sufficient, but it doesn't work
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:*'
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
# the docs say this is supported, but it's not
# Condition:
# StringEquals:
# 'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
- Effect: Allow
Action:
# this action must have resource: * and no conditions
# cannot be restricted
- 'ec2:DescribeNetworkInterfaces'
Resource:
- '*'
- Effect: Allow
Action:
- 'ec2:AssignPrivateIpAddresses'
- 'ec2:UnassignPrivateIpAddresses'
Resource:
- !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:network-interface/*'
Condition:
StringEquals:
'ec2:Vpc': !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/${VPC}'
关于aws-lambda - AWS IAM 执行角色无权在 EC2 上为特定 VPC 调用 CreateNetworkInterface,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/67955016/