通过 cdk 添加 `Lambda:InvokeLambda` 操作权限以使 lambda 调用自身不起作用

问题描述 投票:0回答:1

我正在尝试使用名为“lambda-warmer”的 NPM 包。它需要名为 

lambda:InvokeLambda
的许可。 我尝试通过 cdk 添加此权限,但失败了。 这是我尝试执行此操作的代码: 这是添加规则的函数:

function addActionPermissionToLambda(
    stack: Stack,
    lambdaFunction: IFunction,
    inlinePolicyName: ResourcesNames,
    resources: string[],
    actions: string[],
): void {
    const addedPolicy = new PolicyStatement({ actions, resources });

    // since adding a policy overrides basic actions/permissions. we need to add those. also called "AWSLambdaBasicExecutionRole".
    const logActions = new PolicyStatement(
        {
        actions: [
            "logs:CreateLogGroup",
            "logs:PutLogEvents",
            "logs:CreateLogStream"
        ],
        resources: ["*"]
        });

    lambdaFunction.role.attachInlinePolicy(new Policy(stack, buildConstructorId(stack, inlinePolicyName), {
        statements: [addedPolicy, logActions],
    }));
}

为了使用这个功能:

function addInvokeLambdaPermissionToLambda(
    stack: Stack,
    lambdaFunction: IFunction,
    name: ResourcesNames
) {
    addActionPermissionToLambda(stack, lambdaFunction, name, ["*"], ["Lambda:InvokeLambda"]);
}

在以下代码中:

...const { lambdaFunction, version } = createLambda(
    stack,
    ResourcesNames.ContentManager,
    ResourcesNames.ContentManagerRole,
    "lambdas/contentManager"
);

addInvokeLambdaPermissionToLambda(stack, lambdaFunction, ResourcesNames.ContentManagerInvokeLambda);

我实际上在 lambda->permissions 选项卡上看到它具有操作 

Lambda:InvokeLambda
all resources
作为其资源。

当它被调用时,我收到此错误: 

2023-09-13T14:26:03.839Z   5693bfff-5875-450c-a46f-fd2b079cb0ae    ERROR   Invoke Error     { "errorType": "AccessDeniedException", "errorMessage": "User: arn:aws:sts::625618361194:assumed-role/GsharimBackendStack-featu-GsharimBackendStackfeatu-1E62H8T2TSCXO/9604bdfbe04cbac6fb2dc6c98c9fdfde is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-1:625618361194:function:9604bdfbe04cbac6fb2dc6c98c9fdfde because no identity-based policy allows the lambda:InvokeFunction action", "name": "AccessDeniedException", "$fault": "client", "$metadata": { "httpStatusCode": 403, "requestId": "b08af667-4a78-44e2-b545-4bf8e23c31d4", "attempts": 1, "totalRetryDelay": 0 },

为什么会发生这种情况?看起来它有正确的操作权限,但它仍然失败说没有。

amazon-web-services aws-lambda amazon-iam aws-cdk aws-roles
1个回答
0
投票

从错误消息中可以看出,正确的操作是 lambda:InvokeFunction,而不是 Lambda:InvokeLambda。

不过,您的方法非常脆弱 - 考虑使用 Function.grantInvoke 代替,在您需要授予访问权限的函数上调用它。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.