Amazon web services 如何正确地从lambda调用另一个帐户中的lambda函数？

我在从帐户a中的其他lambda调用帐户B中的lambda时遇到问题

账户A的角色arn是

arn:aws:iam:：账户A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP

帐户A的角色名称为

DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP

帐户B的角色名称为

Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1

帐户B的角色arn是

arn:aws:lambda:us-east-1:462087996972:function:GetActiveDeviceIdsLambdaChris

对于帐户，my lambda角色具有以下权限：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
            "Effect": "Allow"
        }
    ]
}

帐户B中的我的lambda具有使用cloudformation定义的以下角色：

    "CrossAccountExecutionRoleDemo": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
              },
              "Action": "sts:AssumeRole"
            },
            {
              "Effect": "Allow",
              "Principal": { "Service": ["lambda.amazonaws.com"] },
              "Action": ["sts:AssumeRole"]
            }
          ]
        }
      }
    },
    "CrossAccountExecutionPolicyDemo": {
      "Type": "AWS::IAM::ManagedPolicy",
      "Properties": {
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "lambda:InvokeFunction",
              "Resource": { "Fn::GetAtt": ["GetActiveDeviceIdsLambdaDemo", "Arn"] }
            }
          ]
        },
        "Roles": [
          {
            "Ref": "CrossAccountExecutionRoleDemo"
          }
        ]
      }
    }

当我发出以下请求时，我得到一个错误

let roleArn = 'arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-CrossAccountExecutionRol-1ANKXFZ6YS23'
sts.assumeRole(
      {
        RoleArn: roleArn,
        RoleSessionName: 'NightlySimService',
      }, function(err, res){ ... }

错误：

" 拒绝访问：用户：arn:aws:sts:：ACCOUNT_A:假定角色/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP/DeviceApiStack-NightlysimService Lambdaa51B2AFE-JSUFU8F5BZGC无权在资源上执行：sts:AssumeRole:arn:aws:iam:：ACCOUNT_B:角色/Chris-APIStack1-Q6AJ1PZ8V-CrossAccountExecutionRol-1ANKXFZ6YS23F

---

“

我可以在角色中发现两个明显的问题，这可能是你犯错误的原因

首先错误原则：

  "Principal": {
      "AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
   },

  {
     "Action": "lambda:InvokeFunction",
     "Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
     "Effect": "Allow"
  }

在您编写时，角色arn是

arn:aws:iam:：ACCOUNT\u A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP

，这与您在

主体中提供的内容不匹配

第二不正确的资源：

  "Principal": {
      "AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
   },

  {
     "Action": "lambda:InvokeFunction",
     "Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
     "Effect": "Allow"
  }

操作
lambda:InvokeFunction
适用于lambda函数，而不是IAM角色。因此，
资源
应该是lambda的ARN

可能会有更多的问题，目前还不太明显。
基本流程是：Account-A中的Lambda函数调用Role-B中的AssumeRole。然后，它使用这些临时凭据调用Lambda-B中的
Invoke
。Role-A不需要授予Lambda调用
Invoke
的权限，因为Role-A不会用于调用Lamda-B。相反，角色B需要获得调用Lambda-B的权限。