承担AWS Lambda中的角色,在SSM调用中拒绝访问
Oli*_*Oli 13 amazon-web-services amazon-iam
我的Lambda函数中出现错误,该函数调用SSM:
AccessDeniedException:User:arn:aws:sts :: redacted:assume-role/LambdaBackend_master_lambda/SpikeLambda无权执行:ssm:资源上的GetParameter:arn:aws:ssm:eu-west-1:redacted:parameter/default /键/ API
但是,我很确定我正确配置了这个:
使用AssumeRole for Lambda的角色(尽管我们知道它可以从错误消息中获得).
? aws iam get-role --role-name LambdaBackend_master_lambda
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
},
"RoleId": "redacted",
"CreateDate": "2017-06-23T20:49:37Z",
"RoleName": "LambdaBackend_master_lambda",
"Path": "/",
"Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda"
}
}
我的政策是:
? aws iam list-role-policies --role-name LambdaBackend_master_lambda
{
"PolicyNames": [
"ssm_read"
]
}
? aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read
{
"RoleName": "LambdaBackend_master_lambda",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
"Effect": "Allow"
}
]
},
"PolicyName": "ssm_read"
}
我通过策略模拟器运行它似乎没问题!
jef*_*rey 22
今天玩了这个并获得了以下内容,在使用GetParameter操作时,删除ssm:GetParameters和使用ssm:GetParameter似乎工作.即AWS_PROFILE=pstore aws ssm get-parameter --name param_name此weirded我出去了一下,因为我无法找到这在IAM行动文档都在这里.然而它似乎确实有效,而ssm仍然有点记录在案.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
"Effect": "Allow"
}
]
}
- 我有 `Action: ["ssm:GetParametersByPath", "ssm:GetParameters", "ssm:GetParameter"]` 并且失败了。删除前两个并只留下“ssm:GetParameter”后,我就开始工作了 (3认同)
- 在记录下,但仍然比我使用的一些软件更好地记录!谢谢! (2认同)
| 归档时间: |
|
| 查看次数: |
9610 次 |
| 最近记录: |