我有几个正在运行的 AWS lambda,由无服务器框架。我需要一个 lambda(称为lambdaOne
)这将调用第二个 lambda(称为lambdaTwo
)使用 AWS 的 javascript sdk。问题是我得到了AccessDenied
当我尝试这样做时出现异常:
UnhandledPromiseRejectionWarning:未处理的承诺拒绝(拒绝 ID:1):
AccessDeniedException:用户:arn:aws:sts :: 12345678909876:assumed-role / test-dev-us-west-2-lambdaRole / test-dev-lambdaOne无权执行:lambda:资源上的Invoke函数:arn:aws :lambda:us-west-2:994979977450:函数:test-dev-lambdaTwo
据我了解,无服务器创建一个默认 IAM https://serverless.com/framework/docs/providers/aws/guide/services#the-default-iam-role所有 lambda 函数的角色。所以,我应该能够在下面添加一个新条目iamRoleStatements
.
我的困惑源于我想要引用的资源(lambdaTwo
) 已经定义为function https://serverless.com/framework/docs/providers/aws/guide/functions/.
有没有办法参考function
作为资源?
目前,没有声明 Lambda 函数权限的快捷方式。您需要根据其 ARN 授予权限。
下面是一个工作示例。
无服务器.yml
service: test-invoke-function
provider:
name: aws
runtime: nodejs6.10
region: us-east-1
stage: dev
environment:
AWS_ACCOUNT: 1234567890 # use your own AWS ACCOUNT number here
# define the ARN of the function that you want to invoke
FUNCTION_ARN: "arn:aws:lambda:${self:provider.region}:${self:provider.environment.AWS_ACCOUNT}:function:${self:service}-${self:provider.stage}-lambdaTwo"
functions:
# lambdaOne will invoke lambdaTwo
lambdaOne:
handler: handler.lambdaOne
role: functionPermission # we'll define later in this file
lambdaTwo:
handler: handler.lambdaTwo
# define the IAM permissions of our Lambda function
resources:
Resources:
functionPermission:
Type: AWS::IAM::Role
Properties:
RoleName: functionPermission
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: functionPermission
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource: "${self:provider.environment.FUNCTION_ARN}"
处理程序.js
const AWS = require('aws-sdk');
module.exports.lambdaOne = (event, context, callback) => {
const lambda = new AWS.Lambda();
const params = {
FunctionName: process.env.FUNCTION_ARN,
Payload: JSON.stringify({ message: 'lambdaOne invoking lambdaTwo' })
};
// invoke lambdaTwo
lambda.invoke(params, (err, data) => {
if (err) {
callback(err, null);
return;
}
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'lambdaOne result',
result: data
})
};
callback(null, response);
});
};
module.exports.lambdaTwo = (event, context, callback) => {
const response = {
statusCode: 200,
body: JSON.stringify({
message: 'lambdaTwo result',
data: event
})
};
callback(null, response);
};
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)