我正在尝试使用 cloudformation 创建 lambda 函数,但它需要 lambda 执行角色 - 有没有一种方法可以使用 cloudformation 生成一个 lambda 函数?
是的,CloudFormation 可用于创建 IAM 角色。 lambda 执行角色是一个 IAM 角色,与任何其他 IAM 角色一样。执行此操作的文档显示了以下示例:
MyRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: Json
Description: String
ManagedPolicyArns:
- String
MaxSessionDuration: Integer
Path: String
PermissionsBoundary: String
Policies:
- Policy
RoleName: String
Tags:
- Tag
然后在 lambda 中,使用角色资源名称的 ref 来引用它。例如:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Role: !GetAtt MyRole.Arn
您可以使用角色策略创建 IAM 角色,该角色将从预定义的 AWS FloudFormation 变量中获取区域和账户 ID,并将其分配给云形成中的 lambda 元素。请参考以下例子
"Resources": {
"AheadLambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": {
"Fn::Sub": "AHEADLambdaRole-${EnvName}"
},
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
}
}
],
"Version": "2012-10-17"
},
"Policies": [{
"PolicyDocument" : {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": {
"Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:*"
}
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
{ "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/LambdaName:*"}
]
}
]
},
"PolicyName" : "NameOfInlinepolicy"
}]
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess",
"arn:aws:iam::aws:policy/AmazonSSMFullAccess"
],
"Path": "/"
}
}}