插入无服务器堆栈上的 Aws Timestream 时出现访问被拒绝错误

Question

我正在尝试将记录插入到我的 aws 时间流表中。它的获取导致了访问被拒绝错误。

这是serverless.yml上的权限

    - Effect: Allow
      Action:
        - timestream:*
      Resource:
        - arn:aws:timestream:${self:provider.region}:*:database/*
        - arn:aws:timestream:${self:provider.region}:*:database/*/*/*

我是 lambda 的角色详细信息。

{
            "Action": [
                "timestream:*"
            ],
            "Resource": [
                "arn:aws:timestream:us-east-1:*:database/*",
                "arn:aws:timestream:us-east-1:*:database/*/*/*"
            ],
            "Effect": "Allow"
        },

记录样本

{
    "DatabaseName": "developmentreportsdb",
    "TableName": "developmenteventstable",
    "Records": [
        {
            "Dimensions": [
                {
                    "Name": "accountId",
                    "Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
                },
                {
                    "Name": "userId",
                    "Value": "6921e43e-266c-4adf-8a69-d90bd8743d1b"
                }
            ],
            "MeasureName": "ACCOUNT.NEW",
            "MeasureValue": "6921e43e-266c-4adf-8a69-d90bd8743d1b",
            "MeasureValueType": "VARCHAR",
            "Time": "1644234263813",
            "TimeUnit": "MILLISECONDS",
            "Version": 1
        }
    ]
}

错误详情：

Error writing records: AccessDeniedException: User: arn:aws:sts::344128203239:assumed-role/development-us-east-1-lambdaRole/development-worker is not authorized to perform: timestream:DescribeEndpoints because no identity-based policy allows the timestream:DescribeEndpoints action

TIA。这里缺少什么？

Answer 1

需要描述端点权限才能解析 timestream SDK 必须连接的端点。读和写访问都需要它。

以下策略示例仅允许用户进行读取访问

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "timestream:Select",
        "Resource": "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "timestream:DescribeEndpoints"
        ],
        "Resource": "*"
    }
]}

以下是仅对用户进行写访问所需的最低权限示例

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "timestream:WriteRecords"
        ],
        "Resource": [
            "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "timestream:DescribeEndpoints"
        ],
        "Resource": "*"
    }
]}

这是一个用户拥有两种权限（读+写）的示例

    {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "timestream:WriteRecords",
            "timestream:Select"
        ],
        "Resource": [
            "arn:aws:timestream:us-east-1:4xxxxxxxxxxx:database/my_db/table/my_table"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "timestream:DescribeEndpoints"
        ],
        "Resource": "*"
    }
]}