因为想在服务器上运行aws上的某个Lambda函数,于是执行如下命令
aws lambda invoke --function-name My-fuction out --log-type Tail
但是有报错:function:My-fuction because no identity-based policy allows the lambda:InvokeFunction action
于是去检查Role中的policy,发现没有Lambda相关的权限,于是到Role中创建一个Customer inline的policy
1、按如下方式,只需要List和Read,另外Write中必须要添加一个InvokeFunction权限
2、然后在Resource中限制Fuction,指定Region & Account & Function Name 即可
最后的生成的策略,如下,以后也可以直接更改如下策略即可,只修改适应的位置:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:ListVersionsByFunction",
"lambda:GetLayerVersion",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:GetFunctionConfiguration",
"lambda:GetLayerVersionPolicy",
"lambda:GetFunctionCodeSigningConfig",
"lambda:ListFunctionEventInvokeConfigs",
"lambda:ListProvisionedConcurrencyConfigs",
"lambda:GetProvisionedConcurrencyConfig",
"lambda:ListFunctionsByCodeSigningConfig",
"lambda:GetFunctionConcurrency",
"lambda:ListTags",
"lambda:GetFunctionEventInvokeConfig",
"lambda:GetCodeSigningConfig",
"lambda:GetAlias",
"lambda:GetPolicy"
],
"Resource": "arn:aws-cn:lambda:cn-north-1:199012345678:function:My-function"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayerVersions",
"lambda:ListLayers",
"lambda:GetAccountSettings",
"lambda:ListCodeSigningConfigs"
],
"Resource": "*"
}
]
}
如果直接修改策略,只需要修改"Resource": "arn:aws-cn:lambda:cn-north-1:199012345678:function:My-function" 即可
如果Region 和 Function Name 为any的话,可以在相应的位置写* 和 function:*
另外,还可以指定多个Resource,那样"Resource": 后面跟一个中括号 [ ] 就可以了,将多个值写到[ ]内,以逗号隔开
尊重别人的劳动成果 转载请务必注明出处:https://www.cnblogs.com/5201351/p/17078619.html
标签:function,Resource,aws,AWS,Role,Policy,My,lambda From: https://www.cnblogs.com/5201351/p/17078619.html