[英]AWS SAM Multiple Functions with same Inline Policy
在 AWS SAM.yaml 模板中,我可以為每個 lambda function 聲明一個內聯策略,如下所示:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Policies:
- Statement:
- Sid: SSMDescribeParametersPolicy
Effect: Allow
Action:
- ssm:DescribeParameters
Resource: '*'
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
Resource: '*'
但是,如果我希望多個函數共享同一個內聯策略文檔,我們是否在模板的“全局”部分中聲明它?
到目前為止,文檔讓我相信最簡潔的方法是創建一個帶有附加策略的角色,然后簡單地向每個 function 聲明該角色,而不是像這樣:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
Role: arn:aws:iam::111111111111:role/SAMPolicy
有沒有辦法在模板中聲明一個內聯策略,然后簡單地在每個 function 上引用它?
如果我希望多個函數共享同一個內聯策略文檔,我們是否在模板的“全局”部分中聲明它? 是的。 這是一個例子:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Globals:
Function:
Policies:
- Statement:
- Sid: SSMDescribeParametersPolicy
Effect: Allow
Action:
- ssm:DescribeParameters
Resource: '*'
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
Resource: '*'
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/function.zip'
MyOtherFunction:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: 's3://my-bucket/other-function.zip'
你想做的應該有效,但目前沒有。
您可以做的是定義一個AWS::IAM::Role
,它可以由一個或多個函數承擔。 然后單獨定義您的AWS::IAM::Policy
策略並將它們中的每一個應用到一個或多個角色。
Function1:
Type: AWS::Serverless::Function
Properties:
FunctionName: function-1
CodeUri: functions/func-1
Description: Does stuff with DynamoDB and calls another Lambda function
Role: !GetAtt Role1.Arn
Environment:
Variables:
TABLE_NAME: !Ref DynamoDBTable1
Function2:
Type: AWS::Serverless::Function
Properties:
FunctionName: function-2
CodeUri: functions/func-2
Description: Does stuff with the main database
Role: !GetAtt Role2.Arn
Layers:
- !Ref Libraries
Environment:
Variables:
PGHOST: !GetAtt MainDB.Endpoint.Address
PGPORT: !GetAtt MainDB.Endpoint.Port
Role1:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: allow-dynamodb-write
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: dynamodb:PutItem
Resource: !GetAtt EventTable.Arn
Effect: Allow
Role2:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
AllowInvokeFunctionPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: allow-invoke-function
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: lambda:InvokeFunction
Resource: !GetAtt LogEventFunction.Arn
Effect: Allow
Roles:
- Ref: Role1
Ref: Role2
AllowDBAccessPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: allow-rds-connect
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: rds-db:connect
Resource: !Sub arn:aws:rds:${AWS::Region}:${AWS::AccountId}:db:${MainDB}
Effect: Allow
Roles:
- Ref: Role2
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.