我正在尝试设置 Lambda 以访问其中一个
Mongo server
上的 EC2 instances in VPC
。选择所有subnets
和security groups
后,保存时出现以下错误
“您无权执行:CreateNetworkInterface。”
我相信,我需要在
AWS IAM
中制定某种政策来允许这样做。
我拥有“AdministratorAccess”并且我正在尝试将 IAM 角色添加到我的账户。
有谁知道我需要什么
policy/role
吗?
明白了!!!如果错误消息显示“此 Lambda 函数 无权执行:CreateNetworkInterface”,那么需要使用适当的策略修改 Lambda 角色就更有意义了。 通过将策略添加到 Lambda 正在使用的角色修复了问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"autoscaling:CompleteLifecycleAction",
"ec2:DeleteNetworkInterface"
]
}
]
}
有必要向 lambda 提供策略操作:
NetworkLambdaRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "Network-Lambda-Role"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "network-lambda-role-policy"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action: [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
]
Resource: "*"
注意:blueskin 的答案缺少政策
ec2:DeleteNetworkInterfaces
有一个 AWS 托管策略,其中包含允许 Lambda 函数管理其 ENI 接口所需的权限。
将此策略添加到 Lambda 函数的执行角色中:
arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess
截至 2024 年 1 月 9 日,包含的权限如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
],
"Resource": "*"
}
]
}