[英]User: arn:aws:sts::{account_id}:assumed-role/* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account_id}:role/*
I am creating two resources AWS Lambda function and Role using cloudformation template.我正在使用 cloudformation 模板创建两个资源 AWS Lambda function 和角色。
I am using role arn as Environment variable.我使用角色 arn 作为环境变量。 Later using it in code for S3 connection.稍后在代码中使用它进行 S3 连接。 But getting exception as但得到例外
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
User: arn:aws:sts::{account_id}:assumed-role/* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account_id}:role/*
Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: ; Proxy: null)
How can I add same role arn in Trust Relationship and in inline policy?如何在信任关系和内联策略中添加相同的角色 arn?
How to overcome above exception?如何克服上述异常?
Other solutions appreciated其他解决方案赞赏
CF Template snippet CF 模板片段
Resources:
LambdaFunctionExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
# AWS:
# - {Role ARN}
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
- 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'
- 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaRole'
Policies:
- PolicyName: CustomLambdaPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- 'ec2:Describe*'
- 'ec2:Get*'
Resource: '*'
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
Description: !Ref Name
FunctionName: !Ref Name
Handler: com.fileservice::handleRequest
Role: !GetAtt LambdaFunctionExecutionRole.Arn
Timeout: 900
MemorySize: 512
Environment:
Variables:
bucketName: !Ref S3BucketName
roleARN: !GetAtt LambdaFunctionExecutionRole.Arn
CodeUri: target/fileservice-1.0.0.jar
Runtime: java11
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
Role: !GetAtt LambdaFunctionExecutionRole.Arn
If you are using the role property of AWS::Serverless::Function, you do not need to assume the role again in your Lambda code.如果您使用 AWS::Serverless::Function 的角色属性,则无需在 Lambda 代码中再次代入该角色。 Any AWS SDK or CLI will automatically retrieve credentials associated with that role.任何 AWS SDK 或 CLI 都会自动检索与该角色关联的凭证。
Reference: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html (From the documentation: You provide this role when you create a function, and Lambda assumes the role when your function is invoked.) Reference: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html (From the documentation: You provide this role when you create a function, and Lambda assumes the role when您的 function 被调用。)
Ignoring the fact that you should not have reason to allow a role to assume itself, with CloudFormation, it is not possible to reference the ARN of the role inside the role definition itself.忽略这样一个事实,即您不应该有理由允许角色假设自己,使用 CloudFormation,无法在角色定义本身内引用角色的 ARN。 Attempting to use.GetAtt LambdaFunctionExecutionRole.Arn in the trust policy of LambdaFunctionExecutionRole would give a Circular Dependency error.尝试在 LambdaFunctionExecutionRole 的信任策略中使用.GetAtt LambdaFunctionExecutionRole.Arn 会产生循环依赖错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.