[英]AWS Lambda accessing API Gateway
我有一個無服務器功能定義如下
UserLockoutLambda:
Type: "AWS::Lambda::Function"
Properties:
Handler: "com.url.ftp.userlockout.LockUserLambda::handleRequest"
Role: !GetAtt UserLockoutLambdaRole.Arn
Code:
S3Bucket: !Ref lambdas3bucketname
S3Key: !Ref lambdas3key
Runtime: "java8"
MemorySize: 256
Timeout: 300
FunctionName: !Sub 'url-lambda-lam-${AWS::Region}-${envtag}'
Environment:
Variables:
USER_MGMT_API_URL:
!Sub 'https://urlapi.${envtag}.${hostedzonename}/uma/LATEST/'
USER_MGMT_API_KEY_NAME:
!Sub 'url-cfmusermgmt-apikey-${envtag}'
Tags:
- Key: Name
Value: !Sub 'url-cfmuserlockoutlambda-lam-${AWS::Region}-${envtag}'
- Key: function
Value: lambda function that locks the proftp user when failed login attempts reach threshold value
我已經按照以下步驟設置了角色和策略(這是供lambda訪問apiGateway的方法)
UserLockoutLambdaRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub "url-lambda-iam-${AWS::Region}-role_${envtag}"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
- "apigateway.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
- !Ref UserLockoutLambdaManagedPolicy
UserLockoutLambdaManagedPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub "url-lambda-iam-${AWS::Region}-policy_${envtag}"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource:
- !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/lockuser/*'
- !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/invalidlogin/*'
- !Sub 'arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${userMgmtApiId}/*/PUT/ftpuser/unlockuser/*'
- Effect: "Allow"
Action:
- "apigateway:GET"
Resource:
- !Sub 'arn:aws:apigateway:${AWS::Region}::/apikeys'
但是,當我從代碼中調用api網關時,出現以下錯誤:
"Message": "User: arn:aws:sts::<id>:assumed-role/url-lambda-iam-us-east-1-role_i2388/url-cfmuserlockoutlambda-lam-us-east-1-i2388
is not authorized to perform: execute-api:Invoke on resource:
arn:aws:execute-api:us-east-1:********3636:apiGatewayID/LATEST/PUT/ftpuser/invalidlogin" }
從外觀上看,Lambda函數名稱已添加到假定角色中,並且顯然沒有為此編寫策略。 我不確定為什么要附加函數名,以及如何更改策略才能使其起作用。
任何幫助,不勝感激。
謝謝Karthik
我發現了一個可能有問題的地方您的lambda授權在資源上調用api-'... / invalidlogin / *'
但是嘗試調用'... / invalidlogin'
我認為您需要從資源arn中刪除“ / *”
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.