首页 > 其他分享 >关于在AWS下Role中创建Policy添加对某个Lambda函数的执行权限

关于在AWS下Role中创建Policy添加对某个Lambda函数的执行权限

时间:2023-01-31 12:55:41浏览次数:54  
标签:function Resource aws AWS Role Policy My lambda

因为想在服务器上运行aws上的某个Lambda函数,于是执行如下命令

aws lambda invoke --function-name My-fuction out --log-type Tail 

但是有报错:function:My-fuction because no identity-based policy allows the lambda:InvokeFunction action

于是去检查Role中的policy,发现没有Lambda相关的权限,于是到Role中创建一个Customer inline的policy

1、按如下方式,只需要List和Read,另外Write中必须要添加一个InvokeFunction权限

2、然后在Resource中限制Fuction,指定Region & Account & Function Name 即可

最后的生成的策略,如下,以后也可以直接更改如下策略即可,只修改适应的位置:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:ListVersionsByFunction",
                "lambda:GetLayerVersion",
                "lambda:GetEventSourceMapping",
                "lambda:GetFunction",
                "lambda:ListAliases",
                "lambda:GetFunctionConfiguration",
                "lambda:GetLayerVersionPolicy",
                "lambda:GetFunctionCodeSigningConfig",
                "lambda:ListFunctionEventInvokeConfigs",
                "lambda:ListProvisionedConcurrencyConfigs",
                "lambda:GetProvisionedConcurrencyConfig",
                "lambda:ListFunctionsByCodeSigningConfig",
                "lambda:GetFunctionConcurrency",
                "lambda:ListTags",
                "lambda:GetFunctionEventInvokeConfig",
                "lambda:GetCodeSigningConfig",
                "lambda:GetAlias",
                "lambda:GetPolicy"
            ],
            "Resource": "arn:aws-cn:lambda:cn-north-1:199012345678:function:My-function"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "lambda:ListLayerVersions",
                "lambda:ListLayers",
                "lambda:GetAccountSettings",
                "lambda:ListCodeSigningConfigs"
            ],
            "Resource": "*"
        }
    ]
}

如果直接修改策略,只需要修改"Resource": "arn:aws-cn:lambda:cn-north-1:199012345678:function:My-function" 即可

如果Region 和 Function Name 为any的话,可以在相应的位置写* 和 function:*

另外,还可以指定多个Resource,那样"Resource": 后面跟一个中括号 [ ] 就可以了,将多个值写到[ ]内,以逗号隔开

 

 

尊重别人的劳动成果 转载请务必注明出处:https://www.cnblogs.com/5201351/p/17078619.html

 

标签:function,Resource,aws,AWS,Role,Policy,My,lambda
From: https://www.cnblogs.com/5201351/p/17078619.html

相关文章