[英]AWS CDK Lambda function_from_arn not working as expected
I have this Lambda and this DynamoDB table我有这个 Lambda 和这个 DynamoDB 表
my_lambda = lambda_.Function(
self,
"my_lambda",
function_name="my_lambda",
description="A Lambda to test permissions",
code=lambda_code,
memory_size=512,
handler="my_lambda.main",
runtime=lambda_.Runtime.PYTHON_3_9,
architecture=lambda_.Architecture.ARM_64,
timeout=Duration.minutes(1),
)
table = dynamodb.Table(
self,
'test_table',
partition_key=dynamodb.Attribute(
name="id",
type=dynamodb.AttributeType.STRING,
),
)
Now, if I want to give the Lambda access to write in the DynameDB table I do this.现在,如果我想授予 Lambda 写入 DynameDB 表的权限,我会这样做。
table.grant_full_access(my_lambda)
This works perfectly.这非常有效。 Now, if I want to give this same Lambda access to the table be getting a reference to it it doesn't work.
现在,如果我想授予同样的 Lambda 访问表的权限,那么获取对它的引用是行不通的。
lambda_by_arn = lambda_.Function.from_function_arn(
self,
"my lambda by arn",
my_lambda.function_arn
)
table.grant_full_access(lambda_by_arn)
The above doesn't work and the Lambda has no access whatsoever to the DynamoDB function.以上不起作用,Lambda 无法访问 DynamoDB function。
If you have the DynamoDB creation in a different stack than the Lambda, you cannot do it any other way (at least, to my knowledge) than by the function_from_arn
method.如果您在与 Lambda 不同的堆栈中创建 DynamoDB,则除了
function_from_arn
方法之外,您不能以任何其他方式(至少,据我所知)。
I tried getting the Lambda from a different method: function_from_attributes
but this resulted in the same way: No access.我尝试从不同的方法获取 Lambda:
function_from_attributes
但这导致相同的方式:无法访问。
What from_function_arn
does is import an existing Lambda function so that you can reference it from your CDK application. from_function_arn
所做的是导入现有的 Lambda function 以便您可以从 CDK 应用程序中引用它。 But it is not actually part of the application, so you can't do much with it.但它实际上并不是应用程序的一部分,因此您不能用它做很多事情。 In particular, you can't grant any access to it.
特别是,您不能授予对它的任何访问权限。
If you have the DynamoDB creation in a different stack than the Lambda, you cannot do it any other way (at least, to my knowledge) than by the function_from_arn method.
如果您在与 Lambda 不同的堆栈中创建 DynamoDB,则除了 function_from_arn 方法之外,您不能以任何其他方式(至少,据我所知)。
If both stacks are in the same app, you can pass the Lambda function reference to the other stack, and CDK will know how to deal with it.如果两个堆栈在同一个应用程序中,您可以将 Lambda function 引用传递给另一个堆栈,CDK 将知道如何处理它。
TL;DR - The iam.Grant methods like grant_full_access
*sometimes* work on externally referenced resources returned from Something.fromSomethingAttributes
methods. TL;DR - iam.Grant方法(如
grant_full_access
*有时*)处理从Something.fromSomethingAttributes
方法返回的外部引用资源。 Unfortunately, *not* for DynamoDB Table resources.不幸的是,*不适用于 DynamoDB 表资源。
You should be seeing a warning produced by the CDK CLI when you synth
the app:当您
synth
应用程序时,您应该会看到 CDK CLI 生成的警告:
[Warning at /my_stack/my_lambda_by_arn] Add statement to this resource's role: ...
This is telling you the CDK didn't grant access - do it yourself!这是在告诉您 CDK 没有授予访问权限 - 自己动手吧! The CDK made a design decision to warn, but not to throw an error 1 .
CDK 的设计决定是发出警告,而不是抛出错误1 。
Under what conditions can an externally reference ISomething
construct successfully be granted IAM privileges?什么情况下外部引用
ISomething
构造可以成功授予IAM权限?
ISomething
's role reference must be passed to Something.fromSomethingAttributes
ISomething
的角色引用必须传递给Something.fromSomethingAttributes
This table summarizes what happens in various case.下表总结了各种情况下发生的情况。 Your case is on the bottom right:
您的案例在右下角:
Method![]() |
Granter has Resource Policy![]() |
Granter has no Resource Policy![]() |
---|---|---|
fromSomethingAttributes + role: IRole ![]() fromSomethingAttributes + role: IRole |
✅ Role ARN added to Resource Policy ![]() |
❌ UnknownPrincipal assigned, CLI Warning ![]() |
fromSomethingAttributes , no role ![]() fromSomethingAttributes ,没有role |
❌ Synth error: resource imported without a role ![]() resource imported without a role |
❌ UnknownPrincipal assigned, CLI Warning ![]() |
fromSomethingArn |
❌ Synth error: resource imported without a role ![]() resource imported without a role |
❌ UnknownPrincipal assigned, CLI Warning ![]() |
cdk synth --strict
cdk synth --strict
强制 CDK 在出现此类合成器警告时失败
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.