我正在尝试在其他服务已在使用的CFN模板中使用现有的IAM角色。
Resource
定义如下:
MyInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles: ["Capras999"]
而且我这样引用它:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
Role: !Ref MyInstanceProfile
但是我收到此错误:
1 validation error detected: Value 'capras-cluster-Prsr-DL-with-params-MyInstanceProfile-1R68JNUXU0SAA' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+ (Service: AWSLambdaInternal; Status Code: 400; Error Code: ValidationException; Request ID: 5f75a56d-8ce4-473e-924e-626a5d3aab0a)
我在做什么错?请帮助我。
对于lambda函数,您需要role
而不是instance-profile
。
解决方案是将现有角色的ARN]复制并粘贴到模板中。另一种可能性是使用parameter传递它。
ps.s。
通常,您需要为lambda的推力策略定义AWS::IAM::Role。例如:
LambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: my-lambda-execution-role AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: {'Service': ['lambda.amazonaws.com']} Action: ['sts:AssumeRole'] ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSLambdaExecute
然后执行您的功能:
LambdaFunction:
Type: AWS::Lambda::Function
Properties:
Role: !GetAtt LambdaExecutionRole.Arn
您正在将实例名称指定为值,此参数应该是所讨论的IAM角色的Arn。