函数执行角色没有RDS代理权限

问题描述 投票:0回答:1

我有这样的配置:

  Resources:

SecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupName:
      Fn::Join:
        - '-'
        - - Ref: AWS::StackName
          - ${self:custom.stage}
          - sg
    GroupDescription: Allow all traffic on ports 5432
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 5432
        ToPort: 5432
        CidrIp: 0.0.0.0/0

RDSDBInstance:
  Type: AWS::RDS::DBInstance
  Properties:
    DBInstanceIdentifier: !Ref DBInstanceID
    DBName: !Ref DBName
    DBInstanceClass: !Ref DBInstanceClass
    AllocatedStorage: !Ref DBAllocatedStorage
    Engine: postgres
    EngineVersion: "15.5"
    MasterUsername: !Join ["", ["{{resolve:secretsmanager:", !Ref ProxySecret, ":SecretString:username}}"]]
    MasterUserPassword: !Join ["", ["{{resolve:secretsmanager:", !Ref ProxySecret, ":SecretString:password}}"]]
    VPCSecurityGroups:
      - Fn::GetAtt: [ SecurityGroup, GroupId ]

DBProxy:
  Type: AWS::RDS::DBProxy
  Properties:
    DBProxyName: rdsproxy
    RoleArn: !GetAtt [ RDSProxyRole, Arn ]
    DebugLogging: true
    RequireTLS: true
    Auth: [ {AuthScheme: SECRETS, SecretArn: !Ref ProxySecret} ]
    EngineFamily: POSTGRESQL
    VpcSecurityGroupIds: [!GetAtt [ SecurityGroup, GroupId ]]
    VpcSubnetIds:
      - ${env:SUBNET_ID_1}
      - ${env:SUBNET_ID_2}

ProxyTargetGroup:
  Type: AWS::RDS::DBProxyTargetGroup
  Properties:
    DBProxyName: !Ref DBProxy
    DBInstanceIdentifiers: [!Ref RDSDBInstance]
    TargetGroupName: default
    ConnectionPoolConfigurationInfo:
      MaxConnectionsPercent: 100
      MaxIdleConnectionsPercent: 50
      ConnectionBorrowTimeout: 120

ProxySecret:
  Type: AWS::SecretsManager::Secret
  Properties:
    Name: ProxySecret
    GenerateSecretString:
      SecretStringTemplate: '{"username": "masterpassword"}'
      GenerateStringKey: "password"
      PasswordLength: 30
      ExcludePunctuation: true

RDSProxyRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: "Allow"
          Principal:
            Service: "rds.amazonaws.com"
          Action: "sts:AssumeRole"
    Policies:
      - PolicyName: "RDSProxyPolicy"
        PolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: "Allow"
              Action:
                - "secretsmanager:*"
              Resource: "*"

在我的 lambda 函数中,我授予它权限,以便它可以连接到 rds-proxy。

iam:
  role:
    statements:
      - Effect: "Allow"
        Action:
          - rds-db:connect
        Resource: '*'
      - Effect: "Allow"
        Action:
          - secretsmanager:*
        Resource: "*"

但是当运行与 apigateway 集成的 lambda 时,我遇到超时。此外,aws 控制台还向我显示消息:函数执行角色:arn:aws:iam::#####:role/proyect-lambdaRole 没有 RDS 代理的权限。

amazon-web-services amazon-rds
1个回答
0
投票

检查附加到 lambda 的策略是否指向正确的 ARN。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.