[英]Add role as CloudFormation template in serverless yml
I am trying to invoke a lambda from another, following the example from this answer:我正在尝试从另一个调用 lambda,按照这个答案中的示例:
Nodejs - Invoke an AWS.Lambda function from within another lambda function Nodejs - 从另一个 lambda 函数中调用 AWS.Lambda 函数
The answer says that both lambda functions should have AWSLambdaExecute and AWSLambdaBasicExecutionRole permissions.答案说这两个 lambda 函数都应该具有AWSLambdaExecute和AWSLambdaBasicExecutionRole权限。
Using Serverless, how can I add these 2 roles to a CloudFormation template in serverless.yml
?使用无服务器,我怎么能这两个角色添加到在CloudFormation模板serverless.yml
?
According to the Serverless IAM documentation,根据无服务器IAM文档,
By default, one IAM Role is shared by all of the Lambda functions in your service.默认情况下,您的服务中的所有 Lambda 函数共享一个 IAM 角色。 An IAM Policy is also created and is attached to that Role.还会创建 IAM 策略并将其附加到该角色。 Also by default, your Lambda functions have permission create and write to CloudWatch logs, and if you have specified VPC security groups and subnets for your Functions to use then the EC2 rights necessary to attach to the VPC via an ENI will be added into the default IAM Policy.此外,默认情况下,您的 Lambda 函数具有创建和写入 CloudWatch 日志的权限,如果您已指定 VPC 安全组和子网供您的函数使用,则通过 ENI 附加到 VPC 所需的 EC2 权限将添加到默认值中IAM 政策。
To add specific rights to this service-wide Role, define statements in
provider.iamRoleStatements
which will be merged into the generated policy.要向此服务范围的角色添加特定权限,请在provider.iamRoleStatements
中定义语句,这些语句将合并到生成的策略中。
To invoke a Lambda function from another function, you just need to add the "lambda:InvokeFunction"
action to the existing IAM permissions Serverless already provides.要从另一个函数调用 Lambda 函数,您只需将"lambda:InvokeFunction"
操作添加到无服务器已提供的现有 IAM 权限。 So an example serverless.yml
service should have a iamRoleStatements
section that looks like this:因此,一个例子serverless.yml
服务应该有一个iamRoleStatements
部分看起来像这样:
service: new-service
provider:
name: aws
iamRoleStatements:
- Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource:
- "*"
In reference to the other answer cited:关于引用的另一个答案:
AWSLambdaBasicExecutionRole
managed policy is already covered by the default Serverless policy; AWSLambdaBasicExecutionRole
托管策略已包含在默认无服务器策略中;AWSLambdaExecute
is the incorrect name for the managed policy required (that one only provides S3 get/put access, not InvokeFunction
); AWSLambdaExecute
是所需托管策略的错误名称(该名称仅提供 S3 get/put 访问,而不是InvokeFunction
); the answer probably meant AWSLambdaRole
, which provides the "lambda:InvokeFunction"
permission.答案可能意味着AWSLambdaRole
,它提供"lambda:InvokeFunction"
权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.