我有一个月开发alexa技能,并希望通过Cloudformation创建。为此,我使用这个:
Lambda函数
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function from Cloud Formation by Felix Vazquez",
"Resources": {
"Lambda1": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "felix-lambda-code",
"S3Key": "hello_lambda.zip"
},
"Description": "Test with Cloud Formation",
"FunctionName": "Felix-hello-world1234",
"Handler": "lambda_function.lambda_handler",
"Role": "arn:aws:iam::776831754616:role/testRol",
"Runtime": "python2.7"
}
}
}
}
Alexa Skill
"Resources": {
"23LT3": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"AuthenticationConfiguration": {
"ClientId": "+my client ID+",
"ClientSecret": "+my client Secret+",
"RefreshToken": "+The token i generate via lwa+"
},
"VendorId": "+my vendor ID+",
"SkillPackage": {
"S3Bucket": "myskillpackagebucket",
"S3Key": "my_function10.zip",
"S3BucketRole": {
"Fn::GetAtt": [
"IAMRU6TJ",
"Arn"
]
},
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": {
"Fn::GetAtt": [
"Lambda1",
"Arn"
]
}}}}}}}}
现在ROLE
{
"Resources": {
"IAMRU6TJ": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]}}]}}}}
技能取决于lambda和IAM角色。当我在几秒钟后“创建堆栈”时,它会给我这个错误:
无法承担所提供的角色。原因:拒绝访问(服务:AWSSecurityTokenService;状态代码:403;错误代码:AccessDenied;请求ID:b2e8762c-2593-11e9-b3ec-872599411915)
对于我使用的令牌
ask util generate-lwa-tokens --scope "alexa::ask:skills:readwrite alexa::ask:models:readwrite profile”
事件形象:
你的Alexa :: ASK ::技能资源:23LT3['Properties']['SkillPackage']['S3BucketRole']
文档说明了授予Alexa服务权限以访问存储桶并检索技能包的角色的ARN。此角色是可选的,如果未提供,则必须使用允许此访问的策略配置存储桶,或者可以公开访问该存档,以便AWS CloudFormation创建该技能。
目前您的角色是允许s3.amazonaws.com和lambda.amazonaws.com承担一个可以在您的AWS账户中执行任何操作的角色,但是您需要允许“Alexa服务获得权限......”
最佳实践是使用必要的最小权限,但如果您只是测试它,我会得到它。
我努力寻找随处记录的必要细节。这是我用来使这个工作的角色。
AlexaReadRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- alexa-appkit.amazon.com
Sid: AllowServiceToAssumeRole
Version: 2012-10-17
Policies:
- PolicyName: "AlexaS3Read"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "s3:GetObject"
Resource: "arn:aws:s3:::<bucket-name>/<path-to-alexa-files>/*"
Type: AWS::IAM::Role