我有一个 CloudForm的堆栈模板 创建了一个API网关资源,其中方法为 Type: LAMBDA_PROXY
. 它最初在访问根域时工作正常,例如 https:/28af295f439b5f0aef7c7805864ba3981f282e1e.guacchain.com。 - 但当我尝试访问 https:/28af295f439b5f0aef7c7805864ba3981f282e1e.guacchain.comabout。 网络请求回馈状态码500,响应为 {"message": "Internal server error"}
生成的Lambda函数将此作为其基于资源的策略。
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "stack-28af295f439b5f0aef7c7805864ba3981f282e1e-lambdaApiGatewayInvoke-128TRSSUE8WDQ",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:378688096774:function:lambda-28af295f439b5f0aef7c7805864ba3981f282e1e",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:us-east-1:378688096774:bccwb0kvvd/*/*/*"
}
}
}
]
}
当进入API网关集成请求页面,简单地编辑Lambda函数字段时(剪切现有的值,然后粘贴回去,然后点击复选标记),我得到了这个 "添加权限 "的弹窗。
点击 "确定",然后刷新Lambda控制台页面后,其资源库策略更新为包含两个看似重复的语句(唯一不同的是 Sid
字段)。)
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "stack-28af295f439b5f0aef7c7805864ba3981f282e1e-lambdaApiGatewayInvoke-128TRSSUE8WDQ",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:378688096774:function:lambda-28af295f439b5f0aef7c7805864ba3981f282e1e",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:us-east-1:378688096774:bccwb0kvvd/*/*/*"
}
}
},
{
"Sid": "d6d795d4-8461-4774-bd6e-ae8d8ea3bcee",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:378688096774:function:lambda-28af295f439b5f0aef7c7805864ba3981f282e1e",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:execute-api:us-east-1:378688096774:bccwb0kvvd/*/*/*"
}
}
}
]
}
部署了API网关并等待了大约一分钟后, https:/28af295f439b5f0aef7c7805864ba3981f282e1e.guacchain.comabout。 终于变得可以访问了。那么我的问题是,原来的基于Lambda资源的策略有什么不足之处,除了阻止所有的请求外,还阻止了对 /
一个要在域上访问的?
我想指出的一个微妙的问题是,将Lambda函数名称剪切后粘贴在集成请求页面上,它并没有显示为自动完成选项,而其他的则是。
这是我在CloudFormation栈中定义的lambdaIAMRole。
lambdaIAMRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 'sts:AssumeRole'
Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Policies:
- PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Effect: Allow
Resource:
- !Sub >-
arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${lambdaFunctionName}:*
PolicyName: lambda
而Lambda函数资源有 Role: !GetAtt lambdaIAMRole.Arn
作为其 Properties
字段。
根据评论和对 CloudFormation 模板的检查,发现该问题是由以下原因引起的。错误设置 的 IntegrationHttpMethod
在 apiGatewayLambdaResourceMethod
.
而不是
IntegrationHttpMethod: GET
应该是
IntegrationHttpMethod: POST
这是因为 AWS_PROXY
对于lambda需要 POST
方法,而不是 GET
.