我正在尝试使用名为“lambda-warmer”的 NPM 包。它需要名为
lambda:InvokeLambda
的许可。
我尝试通过 cdk 添加此权限,但失败了。
这是我尝试执行此操作的代码:
这是添加规则的函数:
function addActionPermissionToLambda(
stack: Stack,
lambdaFunction: IFunction,
inlinePolicyName: ResourcesNames,
resources: string[],
actions: string[],
): void {
const addedPolicy = new PolicyStatement({ actions, resources });
// since adding a policy overrides basic actions/permissions. we need to add those. also called "AWSLambdaBasicExecutionRole".
const logActions = new PolicyStatement(
{
actions: [
"logs:CreateLogGroup",
"logs:PutLogEvents",
"logs:CreateLogStream"
],
resources: ["*"]
});
lambdaFunction.role.attachInlinePolicy(new Policy(stack, buildConstructorId(stack, inlinePolicyName), {
statements: [addedPolicy, logActions],
}));
}
为了使用这个功能:
function addInvokeLambdaPermissionToLambda(
stack: Stack,
lambdaFunction: IFunction,
name: ResourcesNames
) {
addActionPermissionToLambda(stack, lambdaFunction, name, ["*"], ["Lambda:InvokeLambda"]);
}
在以下代码中:
...const { lambdaFunction, version } = createLambda(
stack,
ResourcesNames.ContentManager,
ResourcesNames.ContentManagerRole,
"lambdas/contentManager"
);
addInvokeLambdaPermissionToLambda(stack, lambdaFunction, ResourcesNames.ContentManagerInvokeLambda);
我实际上在 lambda->permissions 选项卡上看到它具有操作
Lambda:InvokeLambda
和 all resources
作为其资源。
当它被调用时,我收到此错误:
2023-09-13T14:26:03.839Z 5693bfff-5875-450c-a46f-fd2b079cb0ae ERROR Invoke Error { "errorType": "AccessDeniedException", "errorMessage": "User: arn:aws:sts::625618361194:assumed-role/GsharimBackendStack-featu-GsharimBackendStackfeatu-1E62H8T2TSCXO/9604bdfbe04cbac6fb2dc6c98c9fdfde is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-1:625618361194:function:9604bdfbe04cbac6fb2dc6c98c9fdfde because no identity-based policy allows the lambda:InvokeFunction action", "name": "AccessDeniedException", "$fault": "client", "$metadata": { "httpStatusCode": 403, "requestId": "b08af667-4a78-44e2-b545-4bf8e23c31d4", "attempts": 1, "totalRetryDelay": 0 },
为什么会发生这种情况?看起来它有正确的操作权限,但它仍然失败说没有。
从错误消息中可以看出,正确的操作是 lambda:InvokeFunction,而不是 Lambda:InvokeLambda。
不过,您的方法非常脆弱 - 考虑使用 Function.grantInvoke 代替,在您需要授予访问权限的函数上调用它。