文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >如何使用.yaml文件向AWS函数添加策略?

如何使用.yaml文件向AWS函数添加策略?
EN

Stack Overflow用户
提问于 2021-07-16 13:19:20
回答 2查看 1.8K关注 0票数 2

我正在用AWS LambdaAPI GatewayRDS (MySQL)开发REST。我正在使用aws-sam工具构建、配置并将我的工作发布到云上。

请检查下面的template.yaml文件,我现在正在使用。

代码语言:javascript
复制
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  aaaa-restapi

  Sample SAM Template for aaaa-restapi

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 100

Resources:
  GetAllAccountTypesLambda:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: aaaa-restapi
      Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
      Runtime: java11
      MemorySize: 1024
      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          PARAM1: VALUE
      Events:
        HelloWorld:
          Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
          Properties:
            Path: /accounttype
            Method: get

但是,为了使lambda函数能够找到数据库,我必须从AWS Web控制台启用一些策略。我跟踪了这个链接- https://ao.ms/the-provided-execution-role-does-not-have-permissions-to-call-createnetworkinterface-on-ec2/

下面是我为AWS web控制台中的Lambda函数创建的策略。

代码语言:javascript
复制
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    }
  ]
}

然而,我不可能在网络控制台中做到这一点,从一个函数到另一个功能。我需要在yaml文件中完成这个任务。

有了上面提供的yaml文件,我如何才能将这些权限赋予我的Lambda函数?

------------UPDATE---------------

在Gaurauv的评论之后,我对yaml文件做了如下更改。

代码语言:javascript
复制
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  aaaa-restapi

  Sample SAM Template for aaaa-restapi

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 100

Resources:
  GetAllAccountTypesLambda:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: aaaa-restapi
      Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
      Runtime: java11
      MemorySize: 1024
      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          PARAM1: VALUE
      Events:
        HelloWorld:
          Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
          Properties:
            Path: /accounttype
            Method: get
      Role: !GetAtt LambdaRole.Arn
  
  LambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: 'ec2-access-policy'
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - ec2:DescribeNetworkInterfaces
                  - ec2:CreateNetworkInterface
                  - ec2:DeleteNetworkInterface
                  - ec2:DescribeInstances
                  - ec2:AttachNetworkInterface
                Resource: '*'

但是,在产生错误后,未能进行部署。

代码语言:javascript
复制
CREATE_FAILED                           AWS::IAM::Role                          LambdaRole                              Property AssumeRolePolicyDocument
                                                                                                                        cannot be empty.
java
amazon-web-services
amazon-ec2
aws-lambda
aws-sam
EN

回答 2

Stack Overflow用户

回答已采纳

发布于 2021-07-16 15:52:32

根据IAM::作用资源,创建角色时需要一个AssumeRolePolicyDocument。此属性管理与此角色关联的信任策略。信任策略定义了哪些实体可以承担此角色。只能将一个信任策略与角色关联。

请为您的用例找到更新的角色资源。

代码语言:javascript
复制
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  LambdaRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - ec2:DescribeNetworkInterfaces
                  - ec2:CreateNetworkInterface
                  - ec2:DeleteNetworkInterface
                  - ec2:DescribeInstances
                  - ec2:AttachNetworkInterface
                Resource: '*'
票数 3
EN

Stack Overflow用户

发布于 2021-07-16 13:44:51

可以使用内联策略将角色附加到lambda函数。就像这样

代码语言:javascript
复制
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
  aaaa-restapi

  Sample SAM Template for aaaa-restapi

# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
  Function:
    Timeout: 100

Resources:
  GetAllAccountTypesLambda:
    Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
    Properties:
      CodeUri: aaaa-restapi
      Handler: com.aaaa.dao.accountingtype.GetAllAccountTypesLambda::getAllAccountTypes
      Runtime: java11
      MemorySize: 1024
      Environment: # More info about Env Vars: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#environment-object
        Variables:
          PARAM1: VALUE
      Events:
        HelloWorld:
          Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
          Properties:
            Path: /accounttype
            Method: get
      Role: !GetAtt LambdaRole.Arn



  LambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies:
        - PolicyName: 's3-access-policy'
          PolicyDocument:
            Statement:
              - Effect: Allow
                Action:
                  - s3:GetBucketLocation
                  - s3:GetBucketCORS
                  - s3:GetObjectVersionForReplication
                  - s3:GetObject
                  - s3:GetBucketTagging
                  - s3:GetObjectVersion
                  - s3:GetObjectTagging
                  - s3:ListMultipartUploadParts
                  - s3:ListBucket
                  - s3:ListBucketMultipartUploads
                  - s3:PutObject
                  - s3:PutObjectTagging
                  - s3:DeleteObject
                Resource: '*'
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/68409728

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档