CloudFormation API Gateway Lambda 集成请求没有获得正确的权限?

问题描述 投票:3回答:1

我有一个 CloudForm的堆栈模板 创建了一个API网关资源,其中方法为 Type: LAMBDA_PROXY. 它最初在访问根域时工作正常,例如 https:/28af295f439b5f0aef7c7805864ba3981f282e1e.guacchain.com。 - 但当我尝试访问 https:/28af295f439b5f0aef7c7805864ba3981f282e1e.guacchain.comabout。 网络请求回馈状态码500,响应为 {"message": "Internal server error"}

生成的Lambda函数将此作为其基于资源的策略。

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "stack-28af295f439b5f0aef7c7805864ba3981f282e1e-lambdaApiGatewayInvoke-128TRSSUE8WDQ",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:378688096774:function:lambda-28af295f439b5f0aef7c7805864ba3981f282e1e",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:us-east-1:378688096774:bccwb0kvvd/*/*/*"
        }
      }
    }
  ]
}

当进入API网关集成请求页面,简单地编辑Lambda函数字段时(剪切现有的值,然后粘贴回去,然后点击复选标记),我得到了这个 "添加权限 "的弹窗。enter image description here

点击 "确定",然后刷新Lambda控制台页面后,其资源库策略更新为包含两个看似重复的语句(唯一不同的是 Sid 字段)。)

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "stack-28af295f439b5f0aef7c7805864ba3981f282e1e-lambdaApiGatewayInvoke-128TRSSUE8WDQ",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:378688096774:function:lambda-28af295f439b5f0aef7c7805864ba3981f282e1e",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:us-east-1:378688096774:bccwb0kvvd/*/*/*"
        }
      }
    },
    {
      "Sid": "d6d795d4-8461-4774-bd6e-ae8d8ea3bcee",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:378688096774:function:lambda-28af295f439b5f0aef7c7805864ba3981f282e1e",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:execute-api:us-east-1:378688096774:bccwb0kvvd/*/*/*"
        }
      }
    }
  ]
}

部署了API网关并等待了大约一分钟后, https:/28af295f439b5f0aef7c7805864ba3981f282e1e.guacchain.comabout。 终于变得可以访问了。那么我的问题是,原来的基于Lambda资源的策略有什么不足之处,除了阻止所有的请求外,还阻止了对 / 一个要在域上访问的?

我想指出的一个微妙的问题是,将Lambda函数名称剪切后粘贴在集成请求页面上,它并没有显示为自动完成选项,而其他的则是。

这是我在CloudFormation栈中定义的lambdaIAMRole。

  lambdaIAMRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Action:
              - 'sts:AssumeRole'
            Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
      Policies:
        - PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
                Effect: Allow
                Resource:
                  - !Sub >-
                    arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${lambdaFunctionName}:*
          PolicyName: lambda

而Lambda函数资源有 Role: !GetAtt lambdaIAMRole.Arn 作为其 Properties 字段。

amazon-web-services aws-lambda amazon-cloudformation amazon-iam
1个回答
2
投票

根据评论和对 CloudFormation 模板的检查,发现该问题是由以下原因引起的。错误设置IntegrationHttpMethodapiGatewayLambdaResourceMethod.

而不是 

IntegrationHttpMethod: GET

应该是 

IntegrationHttpMethod: POST

这是因为 AWS_PROXY 对于lambda需要 POST 方法,而不是 GET.

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.