[英]How to attach iam policy to Lambda function for SNS publish access?
我正在嘗試授予我的 Lambda function 權限,以便它可以發布 SNS 消息。
我正在 Terraform 中創建我的 Lambda:
resource "aws_lambda_function" "DynamoDB_SNS_Lambda" {
s3_bucket = var.bucket_id
s3_key = "s3key.zip"
handler = "index.handler"
runtime = "nodejs16.x"
role = aws_iam_role.lambda_iam_role.arn
function_name = "lambda_name"
}
然后我創建了一個新的 IAM 角色:
resource "aws_iam_role" "lambda_iam_role" {
name = "sns_lambda_iam_role"
assume_role_policy = data.aws_iam_policy_document.sns_lambda_policy.json
}
data "aws_iam_policy_document" "sns_lambda_policy" {
statement {
sid = ""
effect = "Allow"
actions = [
"sns:Publish",
]
resources = [
var.order_update_sns_topic_arn
]
}
}
然后我嘗試將策略附加到該 IAM 角色以允許 SNS 權限。
resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
role = aws_iam_role.lambda_iam_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSNSRole"
}
當我運行terraform apply時,出現以下錯誤:
module.Lambda.aws_iam_role.lambda_iam_role: Modifying... [id=sns_lambda_iam_role]
╷
│ Error: error updating IAM Role (sns_lambda_iam_role) assume role policy: MalformedPolicyDocument: Has prohibited field Resource
│ status code: 400, request id: 98a57a4c-1839-4a04-b903-e7deb409c71e
│
│ with module.Lambda.aws_iam_role.lambda_iam_role,
│ on modules/lambda/main.tf line 17, in resource "aws_iam_role" "lambda_iam_role":
│ 17: resource "aws_iam_role" "lambda_iam_role" {
我是否正確創建了aws_iam_policy_document ?
我是否認為我需要使用aws_iam_role_policy_attachment將策略附加到角色?
這是不正確的假定策略。 假設策略僅說明誰/什么可以承擔該角色,而不是該角色具有什么權限。 在您的情況下,只有 lambda 可以擔任該角色。 並且可以使用inline_policy設置實際權限。 例如:
resource "aws_iam_role" "lambda_iam_role" {
name = "sns_lambda_iam_role"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "lambda.amazonaws.com"
}
},
]
})
inline_policy {
name = "policy-8675309"
policy = data.aws_iam_policy_document.sns_lambda_policy.json
}
}
無法使用 IAM 策略限制對 lambda 中的 API 端點的訪問
[英]Unable to restrict access to an API endpoint in lambda using IAM policy
如何使用 gcloud 命令工具將 GCP IAM 策略附加到資源?
[英]How attach a GCP IAM policy to a resource with gcloud command tool?
Aws Lambda 無權執行:SNS:在資源上發布:+358
[英]Aws Lambda is not authorized to perform: SNS:Publish on resource: +358
AWS 節點 SDK 異步 SNS.publish.promise() 不會立即發送 SNS 消息(來自 Lambda)
[英]AWS Node SDK async SNS.publish.promise() does not send SNS message immediately (from Lambda)
在 lambda 函數的 IAM 策略條件下使用 aws:ResourceTag 不起作用
[英]Using aws:ResourceTag in conditions on an IAM policy for lambda functions does not work
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.