Red*_*tle 2 amazon-web-services aws-cloudformation amazon-iam
我正在尝试在 CFN 模板中使用已被其他服务使用的现有 IAM 角色。
定义Resource如下:
MyInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles: ["Capras999"]
我这样引用它:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
Role: !Ref MyInstanceProfile
但是我收到这个错误:
1 validation error detected: Value 'capras-cluster-Prsr-DL-with-params-MyInstanceProfile-1R68JNUXU0SAA' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+ (Service: AWSLambdaInternal; Status Code: 400; Error Code: ValidationException; Request ID: 5f75a56d-8ce4-473e-924e-626a5d3aab0a)
我究竟做错了什么?请帮我。
对于 lambda 函数,您role不需要instance-profile.
解决方案是将现有角色的 ARN复制并粘贴到模板中。另一种可能性是使用参数传递它。
附注
通常,您需要使用 lambda 的推力策略定义AWS::IAM::Role 。例如:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: my-lambda-execution-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {'Service': ['lambda.amazonaws.com']}
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSLambdaExecute
然后对于你的功能你会这样做:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
Role: !GetAtt LambdaExecutionRole.Arn
| 归档时间: |
|
| 查看次数: |
2342 次 |
| 最近记录: |