用户:arn:aws:iam::AN:user/root 无权执行:dynamodb:DescribeTable 资源:arn:aws:dynamodb:eu-west-1:AN:table/MyTable
[英]User: arn:aws:iam::AN:user/root is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-west-1:AN:table/MyTable
问题描述
I have a serverless project.
我有一个无服务器项目。 I declared the needed resources in my serverless.html like below:我在 serverless.html 中声明了所需的资源,如下所示:
The resources needed for the project:项目所需资源:
resources:
Resources:
FileDownloadBucket:
Type: "AWS::S3::Bucket"
Properties:
BucketName: ${file(./config/${self:provider.stage}.yml):file_download_bucket_name}
LifecycleConfiguration:
Rules:
- Status: Enabled
ExpirationInDays: 365
DynamoDb:
Type: "AWS::DynamoDB::Table"
Properties:
TableName: ${file(./config/${self:provider.stage}.yml):dynamotable_name}
AttributeDefinitions:
- AttributeName: uuid
AttributeType: S
KeySchema:
- AttributeName: uuid
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
The permissions required for the iam role for this project:此项目的 iam 角色所需的权限:
iam:
role:
name: ${opt:stage, 'dev'}-role
statements:
- Effect: 'Allow'
Action: 'secretsmanager:GetSecretValue'
Resource:
- ${file(./config/${self:provider.stage}.yml):project_secrets_arn}
- Effect: 'Allow'
Action:
- "lambda:InvokeFunction"
- "lambda:GetFunction"
Resource:
- "*"
- Effect: 'Allow'
Action:
- "s3:GetObject"
- "s3:PutObject"
- "s3:ListBucket"
Resource:
- "arn:aws:s3:::${file(./config/${self:provider.stage}.yml):file_download_bucket_name}/*"
- Effect: 'Allow'
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
Resource:
- "arn:aws:dynamodb:::table/${file(./config/${self:provider.stage}.yml):dynamotable_name}"
I also have a ./config/prod.yml file holding the s3 bucket names & dybamodb table names:我还有一个./config/prod.yml文件,其中包含 s3 存储桶名称和 dybamodb 表名称:
project_secrets_arn: "[ARN for the secret]"
file_download_bucket_name: "file-download-bucket-asdjsdkfhsdfidf"
dynamotable_name: "MyTable"
However when I deploy this project I get the Resource handler returned message: "User: arn:aws:iam::[ACCOUNT_NUMBER]:user/root is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-west-1:[ACCOUNT_NUMBER]:table/MyTable error. What am I doing wrong here?但是,当我部署此项目时,我收到Resource handler returned message: "User: arn:aws:iam::[ACCOUNT_NUMBER]:user/root is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:eu-west-1:[ACCOUNT_NUMBER]:table/MyTable错误。我在这里做错了什么?
ALSO, I tried using "Fn::GetAtt": as:另外,我尝试使用 "Fn::GetAtt": 作为:
Resource:
- "Fn::GetAtt": [${self:provider.environment.MY_DB}, Arn]
and as:并作为:
Resource:
- "Fn::GetAtt": [MyTable, Arn]
to which I got the errors: Cannot parse "serverless.yml": missed comma between flow collection entries in "/home/runner/work/sc2/sc2/serverless.yml" (51:32) and The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource MY_DB respectively.我收到错误: Cannot parse "serverless.yml": missed comma between flow collection entries in "/home/runner/work/sc2/sc2/serverless.yml" (51:32) The CloudFormation template is invalid: Template error: instance of Fn::GetAtt references undefined resource MY_DB 。
1 个解决方案
解决方案1
0 2022-09-09 12:35:24
You need at allow for the role to be assumed by the RDS service, so you have to add a Trusted Policy to your role like the following,您需要允许该角色由 RDS 服务承担,因此您必须向您的角色添加一个受信任的策略,如下所示,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "rds.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
finally if you are behind a VPC make sure to add a rule to your VPCs SG that allows inbound connections from port 443(ie, HTTPS port) and as a source add your VPCs CIDR.最后,如果您在 VPC 后面,请确保向您的 VPC SG 添加一条规则,允许来自端口 443(即 HTTPS 端口)的入站连接,并作为源添加您的 VPC CIDR。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.