AWS MediaConvert Python AccessDeniedException：調用 CreateJob 操作時

Question

我正在嘗試使用 Python 創建一個簡單的 MediaConnect 作業。 我的管道很簡單。 S3Put觸發Python lambda ，我正在嘗試創建一個簡單的作業。 我使用 AWS 控制台創建了一個簡單的作業，而 json 作業是這樣的 -

{
  "Queue": "arn:aws:mediaconvert:ap-south-1:----:queues/Default",
  "UserMetadata": {},
  "Role": "arn:aws:iam::----:role/mediaConverterRole",
  "Settings": {
    "TimecodeConfig": {
      "Source": "ZEROBASED"
    },
    "OutputGroups": [
      {
        "Name": "File Group",
        "Outputs": [
          {
            "Preset": "System-Generic_Hd_Mp4_Av1_Aac_16x9_640x360p_24Hz_250Kbps_Qvbr_Vq6",
            "Extension": ".mp4",
            "NameModifier": "converted"
          }
        ],
        "OutputGroupSettings": {
          "Type": "FILE_GROUP_SETTINGS",
          "FileGroupSettings": {
            "Destination": "s3://----/"
          }
        }
      }
    ],
    "Inputs": [
      {
        "AudioSelectors": {
          "Audio Selector 1": {
            "DefaultSelection": "DEFAULT"
          }
        },
        "VideoSelector": {},
        "TimecodeSource": "ZEROBASED",
        "FileInput": "s3://----/videos/sample786.mp4"
      }
    ]
  },
  "AccelerationSettings": {
    "Mode": "DISABLED"
  },
  "StatusUpdateInterval": "SECONDS_60",
  "Priority": 0
}

請注意， Role在 AWS 控制台上使用時運行良好。 到目前為止，這還可以。

現在使用s3Put -> Python Lambda -> MediaConnect進入我的管道，基礎設施是使用Terraform編寫的。 我的iam.tf文件 -

# create a role
# reseource_type - resource_name
resource "aws_iam_role" "lambda_role" {
  name = "${local.resource_component}-lambda-role"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [{
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
        },
      "Effect": "Allow",
      "Sid": ""
      },
      {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "mediaconvert.amazonaws.com"
      },
      "Sid": "",
      "Effect": "Allow",
    }
    ]
  })
}

# create policy 
resource "aws_iam_policy" "policy" {
  name = "${local.resource_component}-lambda-policy"
  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "logs:*"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": "arn:aws:s3:::*"
      }
    ]
  })
}

# attach policy to the role
resource "aws_iam_role_policy_attachment" "policy_attachment" {
  role       = "${aws_iam_role.lambda_role.name}"
  policy_arn = "${aws_iam_policy.policy.arn}"
}

lambda 代碼被S3Put成功觸發。 但是 lambda 拋出錯誤 -

(AccessDeniedException) when calling the CreateJob operation: User: arn:aws:sts::---:assumed-role/vidstream-inputVideoProcessor-lambda-role/vidstream-inputVideoProcessor is not authorized to perform: iam:PassRole on resource: arn:aws:iam::---:role/mediaConverterRole

我試圖找到boto3的簡單示例，但在網上找不到更簡單的示例。 lambda Python 代碼在這里 -

import json
import logging
import boto3


# initialize logger
logger = logging.getLogger()
logger.setLevel(logging.INFO)

def handler(event, context):

    # get input bucket
    input_bucket_name = event['Records'][0]['s3']['bucket']['name']

    # get file/object name
    media_object = event['Records'][0]['s3']['object']['key']


    # open json mediaconvert template
    with open("job.json", "r") as jsonfile:
        job_object = json.load(jsonfile)

    # prepare data for mediaconvert job
    input_file = f's3://{input_bucket_name}/{media_object}'

    # edit job object
    job_object['Settings']['Inputs'][0]['FileInput'] = input_file

    # updated job object
    logger.info("updated job object")

    # Create MediaConvert client
    mediaconvert_client = boto3.client('mediaconvert')

    try:
        # try to create a job
        mediaconvert_client.create_job(**job_object)

    except Exception as e:
        logger.error(e)

    return {
        'statusCode': 200,
        'body': json.dumps(event)
    }

boto3 MediaConvert文檔由AWS提供

我很茫然，不知道該怎么辦。 有沒有人可以幫助我的更簡單的例子？ 我只需要使用 Lambda 創建一個簡單的工作即可，沒有復雜性。

任何形式的幫助將不勝感激。

Answer 1

好的，我通過將iam:PassRole為 lambda 策略解決了這個問題。

{
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
        ],
      "Resource": "*"
    }

所以更新后的iam.tf文件是 -

# create a role
# reseource_type - resource_name
resource "aws_iam_role" "lambda_role" {
  name = "${local.resource_component}-lambda-role"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [{
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
        },
      "Effect": "Allow",
      "Sid": ""
      },
      {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "mediaconvert.amazonaws.com"
      },
      "Sid": "",
      "Effect": "Allow",
    }
    ]
  })
}

# create policy 
resource "aws_iam_policy" "policy" {
  name = "${local.resource_component}-lambda-policy"
  policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "logs:*"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": "arn:aws:s3:::*"
      },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
        ],
      "Resource": "*"
    }
  ]
})
}


# attach policy to the role
resource "aws_iam_role_policy_attachment" "policy_attachment" {
  role       = "${aws_iam_role.lambda_role.name}"
  policy_arn = "${aws_iam_policy.policy.arn}"
}

我首先從 aws 控制台將此添加到 lambda 策略中。 在那之后，我在我的 tf 文件中添加了這個。 在控制台上編輯某些內容時要小心，而主要基礎架構是用 IAC 編寫的， IACs such as Terraform ，如果您忘記所做的事情，這可能會導致漂移。