[英]AccessDeniedException when retrieving AWS Parameters from Lambda
[英]AWS StateMachine AccessDeniedException in step: CleanUpOnError
尝试在 lambda 上执行步骤 function 时出现以下错误
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:sts::14161:assumed-role/serverlessrepo-Functi-cleanerRole/serverlessrepo-=Function-p-cleaner is not authorized to perform: lambda:functionname on resource: arn:aws:lambda:function:functionname because no identity-based policy allows the lambda:functionname action",
Resources:
FunctionExecutionRole: # Execution role for function
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: [
"sts:AssumeRole",
"lambda:InvokeAsync",
"lambda:InvokeFunction"
]
Resource: "*"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSLambda_FullAccess
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
- arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess
Tags:
- Key: Application
Value: !Sub '${ApplicationTag}'
Function1:
Type: AWS::Serverless::Function # Find or Create alias lambda function
Properties:
PackageType: Image
ImageConfig:
Command:
- function1.lambda_handler
ImageUri:
AutoPublishAlias: live # This property enables lambda function versioning.
Role: !GetAtt FindOrCreateAliasExecutionRole.Arn
Tags:
Application: !Sub '${ApplicationTag}'
我无权更改用户的 IAM 角色/策略/权限
您希望您的 lambda function 调用步骤 function。但是,您的 lambda 执行角色没有调用步骤函数的权限。
您至少需要的是states:StartExecution
https://docs.aws.amazon.com/step-functions/latest/apireference/API_StartExecution.html
如果不改变这个角色,我认为你无能为力。 唯一的理论上的解决方案是使用 sts:AssumeRole 承担另一个具有必要特权的角色(如果这样的角色存在并且具有允许您的 lambda function 承担它的资源策略)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.