Ros*_*don 1 aws-cloudformation aws-lambda aws-sam
我是 AWS SAM 模板的新手,希望能够使用一系列策略创建角色,然后为 Lambda 函数引用该角色。但是,当我尝试部署时出现以下错误:
'role' 处的值 'MyRole' 未能满足约束:成员必须满足正则表达式模式:arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a -zA-Z_0-9+=,.@-_/]+
这个答案提到我可以将策略直接添加到函数中,但我会有很多需要相同策略的函数,所以这不是一个非常 DRY 的方法 IAM 模板中的 IAM 角色
是!GetAtt新创建的角色无法使用的问题吗?
这是我的template.yml样子:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get
您的 lambda 函数定义中缺少 Properties 标记,并且缺少策略列表 - 对于第一个策略。
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
-
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Properties:
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get
| 归档时间: |
|
| 查看次数: |
2444 次 |
| 最近记录: |