[英]AWS StateMachine AccessDeniedException in step: CleanUpOnError
尝试在 lambda 上执行步骤 function 时出现以下错误
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:sts::14161:assumed-role/serverlessrepo-Functi-cleanerRole/serverlessrepo-=Function-p-cleaner is not authorized to perform: lambda:functionname on resource: arn:aws:lambda:function:functionname because no identity-based policy allows the lambda:functionname action",
Resources:
FunctionExecutionRole: # Execution role for function
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: [
"sts:AssumeRole",
"lambda:InvokeAsync",
"lambda:InvokeFunction"
]
Resource: "*"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSLambda_FullAccess
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
Tags:
- Key: Application
Value: !Sub '${ApplicationTag}'
Function1:
Type: AWS::Serverless::Function # Find or Create alias lambda function
Properties:
PackageType: Image
ImageConfig:
Command:
- function1.lambda_handler
ImageUri:
AutoPublishAlias: live # This property enables lambda function versioning.
Role: !GetAtt FindOrCreateAliasExecutionRole.Arn
Tags:
Application: !Sub '${ApplicationTag}'
我无权更改用户的 IAM 角色/策略/权限
您希望您的 lambda function 调用步骤 function。但是,您的 lambda 执行角色没有调用步骤函数的权限。
您至少需要的是states:StartExecution https://docs.aws.amazon.com/step-functions/latest/apireference/API_StartExecution.html
如果不改变这个角色,我认为你无能为力。 唯一的理论上的解决方案是使用 sts:AssumeRole 承担另一个具有必要特权的角色(如果这样的角色存在并且具有允许您的 lambda function 承担它的资源策略)。
从 Lambda 检索 AWS 参数时出现 AccessDeniedException
[英]AccessDeniedException when retrieving AWS Parameters from Lambda
AWS 时间流上的策略允许角色执行的操作的 AccessDeniedException
[英]AccessDeniedException for the action that is allowed to a role by a policy on AWS timestream
创建 aws_api_gateway_account 资源返回 AccessDeniedException
[英]Creating an aws_api_gateway_account resource returns AccessDeniedException
AWS timestream-write 获取“调用 DescribeEndpoints 操作时发生错误 (AccessDeniedException):不允许执行此操作。”
[英]AWS timestream-write gets "An error occurred (AccessDeniedException) when calling the DescribeEndpoints operation: This operation is not allowed."
调用 AWS SSO 权限集时从 Lambda function 获取 AccessDeniedException
[英]Getting AccessDeniedException from Lambda function when calling AWS SSO Permission set
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.