AWS Lambda訪問API網關

Question

我有一個無服務器功能定義如下

UserLockoutLambda:
    Type: "AWS::Lambda::Function"
    Properties:
        Handler: "com.url.ftp.userlockout.LockUserLambda::handleRequest"
        Role: !GetAtt UserLockoutLambdaRole.Arn
        Code:
            S3Bucket: !Ref lambdas3bucketname
            S3Key: !Ref lambdas3key
        Runtime: "java8"
        MemorySize: 256
        Timeout: 300
        FunctionName: !Sub 'url-lambda-lam-${AWS::Region}-${envtag}'
        Environment:
            Variables:
                USER_MGMT_API_URL:
                    !Sub 'https://urlapi.${envtag}.${hostedzonename}/uma/LATEST/'
                USER_MGMT_API_KEY_NAME:
                    !Sub 'url-cfmusermgmt-apikey-${envtag}'
        Tags:
            - Key: Name
                Value: !Sub 'url-cfmuserlockoutlambda-lam-${AWS::Region}-${envtag}'
            - Key: function
                Value: lambda function that locks the proftp user when failed login attempts reach threshold value

我已經按照以下步驟設置了角色和策略（這是供lambda訪問apiGateway的方法）

UserLockoutLambdaRole:
    Type: "AWS::IAM::Role"
    Properties:
        RoleName: !Sub "url-lambda-iam-${AWS::Region}-role_${envtag}"
        AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
                - Effect: "Allow"
                    Principal:
                        Service:
                            - "lambda.amazonaws.com"
                            - "apigateway.amazonaws.com"
                    Action:
                        - "sts:AssumeRole"
        Path: "/"
        ManagedPolicyArns:
            - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
            - !Ref UserLockoutLambdaManagedPolicy

UserLockoutLambdaManagedPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
        ManagedPolicyName: !Sub "url-lambda-iam-${AWS::Region}-policy_${envtag}"
        PolicyDocument:
            Version: "2012-10-17"
            Statement:
                - Effect: "Allow"
                    Action:
                        - "execute-api:Invoke"
                    Resource:
                        - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/lockuser/*'
                        - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/invalidlogin/*'
                        - !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/unlockuser/*'
                - Effect: "Allow"
                    Action:
                        - "apigateway:GET"
                    Resource:
                        - !Sub 'arn:aws:apigateway:${AWS::Region}::/apikeys'

但是，當我從代碼中調用api網關時，出現以下錯誤：

"Message": "User: arn:aws:sts::<id>:assumed-role/url-lambda-iam-us-east-1-role_i2388/url-cfmuserlockoutlambda-lam-us-east-1-i2388
is not authorized to perform: execute-api:Invoke on resource: 
arn:aws:execute-api:us-east-1:********3636:apiGatewayID/LATEST/PUT/ftpuser/invalidlogin" }

從外觀上看，Lambda函數名稱已添加到假定角色中，並且顯然沒有為此編寫策略。 我不確定為什么要附加函數名，以及如何更改策略才能使其起作用。

任何幫助，不勝感激。

謝謝Karthik

Answer 1

我發現了一個可能有問題的地方您的lambda授權在資源上調用api-'... / invalidlogin / *'

但是嘗試調用'... / invalidlogin'

我認為您需要從資源arn中刪除“ / *”

AWS Lambda訪問API網關

問題描述

1 個解決方案

解決方案1
0 2019-02-28 19:49:27

AWS Lambda訪問API網關

問題描述

1 個解決方案

解決方案1 0 2019-02-28 19:49:27

解決方案1
0 2019-02-28 19:49:27