堆栈内存溢出
  简体   繁体   English

AWS CDK Lambda function_from_arn 未按预期工作

[英]AWS CDK Lambda function_from_arn not working as expected

 原文  2022-12-09 11:32:49       aws-cdk/ aws-permissions

问题描述

I have this Lambda and this DynamoDB table我有这个 Lambda 和这个 DynamoDB 表

my_lambda = lambda_.Function(
    self,
    "my_lambda",
    function_name="my_lambda",
    description="A Lambda to test permissions",
    code=lambda_code,
    memory_size=512,
    handler="my_lambda.main",
    runtime=lambda_.Runtime.PYTHON_3_9,
    architecture=lambda_.Architecture.ARM_64,
    timeout=Duration.minutes(1),
)


table = dynamodb.Table(
    self,
    'test_table',
    partition_key=dynamodb.Attribute(
        name="id",
        type=dynamodb.AttributeType.STRING,
    ),
)

Now, if I want to give the Lambda access to write in the DynameDB table I do this.现在,如果我想授予 Lambda 写入 DynameDB 表的权限,我会这样做。

table.grant_full_access(my_lambda)

This works perfectly.这非常有效。 Now, if I want to give this same Lambda access to the table be getting a reference to it it doesn't work.现在,如果我想授予同样的 Lambda 访问表的权限,那么获取对它的引用是行不通的。

lambda_by_arn = lambda_.Function.from_function_arn(
    self,
    "my lambda by arn",
    my_lambda.function_arn
)
table.grant_full_access(lambda_by_arn)

The above doesn't work and the Lambda has no access whatsoever to the DynamoDB function.以上不起作用,Lambda 无法访问 DynamoDB function。

If you have the DynamoDB creation in a different stack than the Lambda, you cannot do it any other way (at least, to my knowledge) than by the function_from_arn method.如果您在与 Lambda 不同的堆栈中创建 DynamoDB,则除了function_from_arn方法之外,您不能以任何其他方式(至少,据我所知)。

I tried getting the Lambda from a different method: function_from_attributes but this resulted in the same way: No access.我尝试从不同的方法获取 Lambda: function_from_attributes但这导致相同的方式:无法访问。

2 个解决方案

解决方案1
 2  2022-12-09 14:18:24

What from_function_arn does is import an existing Lambda function so that you can reference it from your CDK application. from_function_arn所做的是导入现有的 Lambda function 以便您可以从 CDK 应用程序中引用它。 But it is not actually part of the application, so you can't do much with it.但它实际上并不是应用程序的一部分,因此您不能用它做很多事情。 In particular, you can't grant any access to it.特别是,您不能授予对它的任何访问权限。

If you have the DynamoDB creation in a different stack than the Lambda, you cannot do it any other way (at least, to my knowledge) than by the function_from_arn method.如果您在与 Lambda 不同的堆栈中创建 DynamoDB,则除了 function_from_arn 方法之外,您不能以任何其他方式(至少,据我所知)。

If both stacks are in the same app, you can pass the Lambda function reference to the other stack, and CDK will know how to deal with it.如果两个堆栈在同一个应用程序中,您可以将 Lambda function 引用传递给另一个堆栈,CDK 将知道如何处理它。

解决方案2
 1 已采纳  2022-12-09 19:36:27

TL;DR - The iam.Grant methods like grant_full_access *sometimes* work on externally referenced resources returned from Something.fromSomethingAttributes methods. TL;DR - iam.Grant方法(如grant_full_access *有时*)处理从Something.fromSomethingAttributes方法返回的外部引用资源。 Unfortunately, *not* for DynamoDB Table resources.不幸的是,*不适用于 DynamoDB 表资源。

You should be seeing a warning produced by the CDK CLI when you synth the app:当您synth应用程序时,您应该会看到 CDK CLI 生成的警告:

[Warning at /my_stack/my_lambda_by_arn] Add statement to this resource's role: ...

This is telling you the CDK didn't grant access - do it yourself!这是在告诉您 CDK 没有授予访问权限 - 自己动手吧! The CDK made a design decision to warn, but not to throw an error 1 . CDK 的设计决定是发出警告,而不是抛出错误1

Under what conditions can an externally reference ISomething construct successfully be granted IAM privileges?什么情况下外部引用ISomething构造可以成功授予IAM权限?

  1. The granting resource type must support Resource-based Policies (eg s3.Bucket, sqs.Queue), and授予资源类型必须支持基于资源的策略(例如 s3.Bucket、sqs.Queue),以及
  2. The ISomething 's role reference must be passed to Something.fromSomethingAttributes ISomething角色引用必须传递给Something.fromSomethingAttributes

This table summarizes what happens in various case.下表总结了各种情况下发生的情况。 Your case is on the bottom right:您的案例在右下角:

Method方法 Granter has Resource Policy授予者有资源策略 Granter has no Resource Policy授予者没有资源策略
fromSomethingAttributes + role: IRole fromSomethingAttributes + role: IRole ✅ Role ARN added to Resource Policy ✅ 角色 ARN 添加到资源策略 UnknownPrincipal assigned, CLI Warning UnknownPrincipal已分配,CLI 警告
fromSomethingAttributes , no role fromSomethingAttributes ,没有role ❌ Synth error: resource imported without a role ❌ 合成错误: resource imported without a role ❌ UnknownPrincipal assigned, CLI Warning ❌ UnknownPrincipal 已分配,CLI 警告
fromSomethingArn ❌ Synth error: resource imported without a role ❌ 合成错误: resource imported without a role ❌ UnknownPrincipal assigned, CLI Warning ❌ UnknownPrincipal 已分配,CLI 警告
  1. You can force the CDK to fail on such synth warnings with cdk synth --strict您可以使用cdk synth --strict强制 CDK 在出现此类合成器警告时失败

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法使用 CDK 创建 AWS Lambda function - Could not create an AWS Lambda function using CDK AWS CDK 从 lambda 查找 ARN - AWS CDK look up ARNs from lambda AWS CDK - 在 Lambda Function 中有条件地创建角色 - AWS CDK - Create role conditionally in Lambda Function AWS TS CDK如何执行 Lambda function - AWS TS CDK how to execute Lambda function AWS CDK:如何使用 Typescript 创建 Docker Lambda 函数? - AWS CDK: How to create a Docker Lambda function with Typescript? 由于“无效的 Lambda 函数”,AWS CDK 部署失败 - AWS CDK failing to deploy due to "Invalid Lambda Function" AWS CDK Secrets Manger 获取完整的 arn(python) - AWS CDK Secrets Manger getting the full arn (python) 使用 Rest API 和 Lambda Function 集成部署 CDK 堆栈时出错 (AWS CDK 2 Python API) - Error deploying a CDK stack with a Rest API with a Lambda Function Integration (AWS CDK 2 Python API) 参考 lambda function 来自另一个嵌套堆栈的 Arn - Reference lambda function Arn from another nested Stack AWS CDK:Lambda 基于资源的策略,用于带有别名的 function - AWS CDK: Lambda resource based policy for a function with an alias
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM