我正在尝试通过 Terraform 创建一个简单的 Lambda。我收到一个错误,该错误在 Stack Overflow 上多次出现,我正在阅读解决方案,但它们对我不起作用。
当我
terraform apply
收到此错误时。
aws_lambda_function.get_snow: Creating...
╷
│ Error: creating Lambda Function (howmuchsnow_get_snow): operation error Lambda: CreateFunction, https response error StatusCode: 403, RequestID: b66dcc48-58f8-4806-9100-69950c011cd4, api error AccessDeniedException: UnknownError
│
│ with aws_lambda_function.get_snow,
│ on get-snow-lambda.tf line 58, in resource "aws_lambda_function" "get_snow":
│ 58: resource "aws_lambda_function" "get_snow" {
│
我看过很多关于这个错误的帖子,所有这些问题都已通过向在命令行上执行
terraform apply
操作的 IAM 用户授予适当的权限来解决。但是,我的 IAM 用户具有管理员访问权限。
这是我在 terraform 会话环境中连接的 IAM 用户。
我的项目有两个文件。
terraform-backend.tf
terraform {
required_version = ">= 1.2.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.19.0"
}
}
backend "s3" {
bucket = "howmuchsnow-terraform-state"
key = "global/s3/terraform.tfstate"
region = "us-east-1" # Can't use a variable here - maybe an env var?
dynamodb_table = "howmuchsnow-terraform-lock"
encrypt = true
}
}
provider "aws" {
region = var.aws_region
}
resource "aws_s3_bucket" "terraform_state" {
bucket = "howmuchsnow-terraform-state"
}
resource "aws_s3_bucket_versioning" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_dynamodb_table" "terraform_lock" {
name = "howmuchsnow-terraform-lock"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
获取-snow-lambda.tf
data "aws_iam_policy_document" "get_snow" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
resource "aws_iam_role" "get_snow_lambda" {
name = "get_snow_lambda_role"
assume_role_policy = data.aws_iam_policy_document.get_snow.json
}
resource "aws_cloudwatch_log_group" "get_snow_lambda" {
name = "/aws/lambda/${aws_lambda_function.get_snow.function_name}"
retention_in_days = var.log_retention
}
data "aws_iam_policy_document" "get_snow_lambda" {
statement {
actions = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = ["arn:aws:logs:*:*:*"]
}
}
resource "aws_iam_role_policy" "get_snow_lambda" {
name = "howmuchsnow_get_snow_lambda_policy"
policy = data.aws_iam_policy_document.get_snow_lambda.json
role = aws_iam_role.get_snow_lambda.id
}
data "archive_file" "get_snow_lambda" {
type = "zip"
source_file = "${path.module}/lambdas/get_snow.py"
output_path = "${path.module}/lambdas/get_snow.zip"
}
resource "aws_lambda_function" "get_snow" {
function_name = "howmuchsnow_get_snow"
filename = data.archive_file.get_snow_lambda.output_path
handler = "get_snow.handler"
source_code_hash = data.archive_file.get_snow_lambda.output_base64sha256
runtime = "python3.10"
role = aws_iam_role.get_snow_lambda.arn
}
也供参考:
Terraform v1.6.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/archive v2.4.0
+ provider registry.terraform.io/hashicorp/aws v5.19.0
我相信您用于创建该函数的 IAM 用户没有足够的权限。更改访问密钥和密钥 ID 可能会有所帮助。