TKi*_*hvi 5 amazon-web-services aws-lambda aws-api-gateway
我尝试从 Gateway api 使用 AWS-SDK 调用函数,但收到以下错误。
执行角色具有以execute-api:* 作为操作且资源为“*”的策略。
代码是:
const restApi = await new Promise((resolve, reject) => {
apiGateway.getRestApi({restApiId: myRestApi}, function(err, data) {
错误:
2020-06-06T08:58:47.741Z d3e08e04-095c-41ec-bbe6-69344d53854c INFO getRestApi err AccessDeniedException: User: arn:aws:sts::123412341234:assumed-role/mydev-LambdaExecutionRole/mydev-api-FooFunctionsStack-AddFooFunction-123ASDF is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:eu-west-1::/restapis/xxx111yy
at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
网络设置应该没问题,lambda 位于 VPC 内,但它有公共子网来连接外部的服务。以前没有,并且 apiGateway.getRestApi 超时。
角色政策:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: 'MyRole'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: lambda-execution-policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
- rds:*
- rds-data:*
- ses:SendEmail
- ses:SendRawEmail
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- s3:*
- execute-api:*
Resource: '*'
lambda 位于 VPC 内,但它有公共子网来连接其外部的服务
不幸的是,该错误与对 API 网关的公共访问无关,这是获取有关 api 的信息所必需的。
相反,错误是关于您的lambda 执行角色 mydev-LambdaExecutionRole没有在资源GET上执行方法的权限xxx111yy。
您的权限execute-api:*用于调用api。apigateway:*您的 lambda 函数应该具有用于获取有关 api 信息的权限。例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "apigateway:GET",
"Resource": "*"
}
]
}
有两种方法可以纠正该问题:
| 归档时间: |
|
| 查看次数: |
9561 次 |
| 最近记录: |