无法使用 CDK 创建 AWS Lambda function

Question

I am new to CDK, I want to create simple lamda function using CDK.cdk synth gives no error but when I run cdk deploy --profile myprofile getting this error我是 CDK 的新手，我想使用 CDK.cdk synth 创建简单的 lamda function 没有错误，但是当我运行cdk deploy --profile myprofile时出现此错误

Resource handler returned message: "User: arn:aws:sts::xxxxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:ap-south-1:xxxxx:function:ApiLamdaStack-helloLamda938CC02A-jS7q9y9UlOUa because no identity-based policy allows the lambda:CreateFunction action (Service: Lambda, Status Code: 403, Request ID: 61895893-bf12-48bf-a51a-dbcf11fc17d8)" (RequestToken: 0e3ec851-6bd2-9ef3-751c-a3a947a72668, HandlerErrorCode: AccessDenied)资源处理程序返回消息：“用户：arn:aws:sts::xxxxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation 无权执行：lambda:CreateFunction on resource: arn:aws:lambda:ap-south-1:xxxxx:function:ApiLamdaStack-helloLamda938CC02A-jS7q9y9UlOUa because no identity-based policy allows the lambda:CreateFunction action (Service: Lambda, Status Code: 403, Request ID: 61895893- bf12-48bf-a51a-dbcf11fc17d8)”（请求令牌：0e3ec851-6bd2-9ef3-751c-a3a947a72668，HandlerErrorCode：AccessDenied）

Here is source code这是源代码

bin/api_lamda.ts bin/api_lamda.ts

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { ApiLamdaStack } from '../lib/api_lamda-stack';

const app = new cdk.App();
new ApiLamdaStack(app, 'ApiLamdaStack', {
  env: { account: 'xxx', region: 'yyy' },
});

lib\api_lamda-stack.ts lib\api_lamda-stack.ts

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Code, Function as LamdaFunction, Runtime } from 'aws-cdk-lib/aws-lambda';
import { join } from 'path';
import { Effect, PolicyStatement, CfnPolicy } from 'aws-cdk-lib/aws-iam';


export class ApiLamdaStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    new iam.Role(this, 'example-iam-role', {
      assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
      managedPolicies: [
        iam.ManagedPolicy.fromAwsManagedPolicyName(
          'AWSLambda_FullAccess',
        ),
      ],
    });

    const helloLamda = new LamdaFunction(this, 'helloLamda', {
      runtime: Runtime.NODEJS_16_X,
      code: Code.fromAsset(join(__dirname, '..', 'services', 'hello')), 
      handler: 'hello.main'
    })

  
  }
}

cdk.json cdk.json

{
  "app": "npx ts-node --prefer-ts-exts bin/apiLamda.ts",
  "watch": {
    "include": [
      "**"
    ],
    "exclude": [
      "README.md",
      "cdk*.json",
      "**/*.d.ts",
      "**/*.js",
      "tsconfig.json",
      "package*.json",
      "yarn.lock",
      "node_modules",
      "test"
    ]
  },
  "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/core:stackRelativeExports": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
    "@aws-cdk/core:checkSecretUsage": true,
    "@aws-cdk/aws-iam:minimizePolicies": true,
    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
    "@aws-cdk/core:enablePartitionLiterals": true,
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn"
    ]
  }
}

All I want to do is create lamda via CDK, can someone please suggest me what to do?我只想通过 CDK 创建 lamda，有人可以建议我该怎么做吗？

The solution seems to attach role to cloudformation to be able to create lambda function, I have altered the lib\api_lamda-stack.ts please take a look该解决方案似乎将角色附加到 cloudformation 以能够创建 lambda function，我已经更改了lib\api_lamda-stack.ts请看一下

Answer 1

The problem is not in your cdk code.问题不在您的 cdk 代码中。 It says cdk role cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation is not authorized to lambda:CreateFunction .它说 cdk 角色cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation未被授权lambda:CreateFunction 。

Check your profile permissions.检查您的个人资料权限。

Answer 2

Thanks gshpychka and Mehmet, indeed cdk bootstrap was having issue, I has to completely wipe out rescources created by cdktoolkit stack including s3 and ssm parameter store, they were causing hindrance by not getting removed, so cleaning completely ensured creation complete of bootstrap then deploy succeeded.感谢 gshpychka 和 Mehmet，确实 cdk bootstrap 有问题，我必须完全清除由 cdktoolkit 堆栈创建的资源，包括 s3 和 ssm 参数存储，它们由于没有被删除而造成障碍，所以完全清理确保引导创建完成然后部署成功.

无法使用 CDK 创建 AWS Lambda function

问题描述

2 个解决方案

解决方案1
2 2023-01-29 14:21:26

解决方案2
0 2023-02-03 06:29:06

无法使用 CDK 创建 AWS Lambda function

问题描述

2 个解决方案

解决方案1 2 2023-01-29 14:21:26

解决方案2 0 2023-02-03 06:29:06

解决方案1
2 2023-01-29 14:21:26

解决方案2
0 2023-02-03 06:29:06