[英]Give permission to invoke lambda from ECS by cdk
從ECS調用lambda時出現權限錯誤。
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:sts::678100228XXX:assumed-role/vw-dev-fargate-stack-TaskDefAdminTaskRoleA25A3679-1K9EPRKUW9TNV/21bdeb6c10b14db4b1515986d946959a is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:ap-northeast-1:678100228XXX:function:vw-dev-lambda because no identity-based policy allows the lambda:InvokeFunction action
所以,我想給ECS增加訪問lambda的權限。
我在lambda.ts中設置了ecs ,在ecs.ts中設置了lambda
我目前的想法是給lambda.ts中的ecs權限
在我的ecs.ts中
const ecsAdminService = new ecs.FargateService(this, "AdminService", {
cluster,
taskDefinition:taskDefinitionAdmin,
desiredCount: 2,
vpcSubnets: {subnetType: ec2.SubnetType.PUBLIC },
assignPublicIp: true,
securityGroups:[adminServiceSg],
enableExecuteCommand:true,
serviceName: "sw-ecs-my-dx-tokyo-jxc-91"
});
在我的lambda.ts
const myLambda = new lambda.DockerImageFunction(this, "myLambda", {
functionName: `vw-${targetEnv}-lambda`,
vpc:vpc,
vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
timeout: cdk.Duration.minutes(1),
code: lambda.DockerImageCode.fromEcr(myEcrRepo),
environment:{
}
});
# I am making here below.
const ecs = "somehow get the ecs here"
myLambda.grantInvoke(ecs) # Something like this.
我對么??
我遇到了兩個問題。
如何獲取在另一個文件中定義的ecs ?
怎么給ecs權限調用呢?
或者,我基本上錯了嗎?
任何幫助表示贊賞。 非常感謝你。
這很容易通過在堆棧之間傳遞變量來完成
例如在some-app中
// bin/some-app.ts
import * as cdk from 'aws-cdk-lib';
import { SomeEcsStack } from '../lib/ecs';
import { SomeLambdaStack} from '../lib/lambda'
const app = new cdk.App();
const lmb = new SomeLambdaStack(app, 'SomeLambdaStack');
new SomeEcsStack(app, 'SomeEcsStack', {
lambdaFunc: lmb.lambdaFunc
});
公開你的 lambda function
// lib/lambda.ts
import { Duration, Stack, StackProps } from 'aws-cdk-lib';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import { Construct } from 'constructs';
export class SomeLambdaStack extends Stack {
public readonly lambdaFunc: lambda.Function; // <-- making it available
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
const myLambda = new lambda.DockerImageFunction(this, "myLambda", {
functionName: `vw-${targetEnv}-lambda`,
vpc:vpc,
vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
timeout: cdk.Duration.minutes(1),
code: lambda.DockerImageCode.fromEcr(myEcrRepo),
});
this.lambdaFunc = myLambda; // <-- making it available
}
授予ecs任務定義角色權限調用
// lib/ecs.ts
import { Duration, Stack, StackProps } from 'aws-cdk-lib';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as lambda from 'aws-cdk-lib/aws-lambda';
import { Construct } from 'constructs';
export interface SomeEcsStackProps extends StackProps {
readonly lambdaFunc: lambda.Function; // <-- expect lambda to be passed
}
export class SomeEcsStack extends Stack {
constructor(scope: Construct, id: string, props?: SomeEcsStackProps) {
super(scope, id, props);
const ecsAdminService = new ecs.FargateService(this, "AdminService", {
cluster,
taskDefinition:taskDefinitionAdmin,
desiredCount: 2,
vpcSubnets: {subnetType: ec2.SubnetType.PUBLIC },
assignPublicIp: true,
securityGroups:[adminServiceSg],
enableExecuteCommand:true,
serviceName: "sw-ecs-my-dx-tokyo-jxc-91"
});
props.lambdaFunc.grantInvoke(taskDefinitionAdmin.taskRole) // <-- Grant permission to task role
}
如何授予 RDS 實例從 CFT 或 SAM 模板調用 lambda 的權限
[英]How to give RDS instance permission to invoke lambda from CFT or SAM template
CDK:aws_cdk.aws_ecs.EcrImage 與 aws_cdk.aws_ecs.ContainerImage
[英]CDK: aws_cdk.aws_ecs.EcrImage vs aws_cdk.aws_ecs.ContainerImage
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.