我有一个 lambda,它通过 Kinesis Data Stream 从 DynamoDB 表消耗近乎实时的更新。我还创建了一个流消费者,lambda 从中消费数据。当我尝试将其部署到我的帐户时,出现以下错误:
Resource handler returned message: "Invalid request provided: Cannot access event source. Please ensure the role can perform the DescribeStreamSummary, ListShards, GetShardIterator and GetRecords actions on your stream and SubscribeToShard on your consumer in IAM.
下面是创建的 lambda IAM 角色:
lambdaRole.attachInlinePolicy(
new moteiam.SecurePolicy(this, 'Policy1', {
policyName: "Policy1",
statements: [
new moteiam.SecurePolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'kinesis:DescribeStreamSummary',
'kinesis:GetShardIterator',
'kinesis:ListShards',
'kinesis:SubscribeToShard',
'kinesis:DescribeStream',
'kinesis:ListStreams',
'kinesis:DescribeStreamConsumer',
'kinesis:GetRecords',
],
resources: [streamArn],
}),
new moteiam.SecurePolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'kms:*',
],
resources: ['*'],
}),
new moteiam.SecurePolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'kinesis:SubscribeToShard',
],
resources: [KDSConsumer.attrConsumerArn],
}),
new moteiam.SecurePolicyStatement({
effect: iam.Effect.ALLOW,
actions: [
'dynamodb:*',
],
resources: ['*'],
}),
],
}),
);
lambdaRole.addManagedPolicy(
moteiam.SecureManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'),
);
lambdaRole.addManagedPolicy(
moteiam.SecureManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'),
);
我也尝试添加
AWSLambdaKinesisExecutionRole我还有什么遗漏的吗?
您可能缺少在流上写入的权限,您必须通过服务相关角色分配给 DynamoDB 表(您所说的 lambda 上的权限似乎没问题)。
参考官方文档。