Amazon web services 如何正确地从lambda调用另一个帐户中的lambda函数?
我在从帐户a中的其他lambda调用帐户B中的lambda时遇到问题 账户A的角色arn是Amazon web services 如何正确地从lambda调用另一个帐户中的lambda函数?,amazon-web-services,aws-lambda,amazon-cloudformation,Amazon Web Services,Aws Lambda,Amazon Cloudformation,我在从帐户a中的其他lambda调用帐户B中的lambda时遇到问题 账户A的角色arn是arn:aws:iam::账户A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP 帐户A的角色名称为DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP 帐户B的角色名称为Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5A
arn:aws:iam::账户A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP
帐户A的角色名称为DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP
帐户B的角色名称为Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1
帐户B的角色arn是arn:aws:lambda:us-east-1:462087996972:function:GetActiveDeviceIdsLambdaChris
对于帐户,my lambda角色具有以下权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
"Effect": "Allow"
},
{
"Action": "lambda:InvokeFunction",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
"Effect": "Allow"
}
]
}
帐户B中的我的lambda具有使用cloudformation定义的以下角色:
"CrossAccountExecutionRoleDemo": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": { "Service": ["lambda.amazonaws.com"] },
"Action": ["sts:AssumeRole"]
}
]
}
}
},
"CrossAccountExecutionPolicyDemo": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": { "Fn::GetAtt": ["GetActiveDeviceIdsLambdaDemo", "Arn"] }
}
]
},
"Roles": [
{
"Ref": "CrossAccountExecutionRoleDemo"
}
]
}
}
当我发出以下请求时,我得到一个错误
let roleArn = 'arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-CrossAccountExecutionRol-1ANKXFZ6YS23'
sts.assumeRole(
{
RoleArn: roleArn,
RoleSessionName: 'NightlySimService',
}, function(err, res){ ... }
错误:
"
拒绝访问:用户:arn:aws:sts::ACCOUNT_A:假定角色/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP/DeviceApiStack-NightlysimService Lambdaa51B2AFE-JSUFU8F5BZGC无权在资源上执行:sts:AssumeRole:arn:aws:iam::ACCOUNT_B:角色/Chris-APIStack1-Q6AJ1PZ8V-CrossAccountExecutionRol-1ANKXFZ6YS23F
“我可以在角色中发现两个明显的问题,这可能是你犯错误的原因 首先错误原则:
"Principal": {
"AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
},
{
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
"Effect": "Allow"
}
在您编写时,角色arn是arn:aws:iam::ACCOUNT\u A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP
,这与您在主体中提供的内容不匹配
第二不正确的资源:
"Principal": {
"AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
},
{
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
"Effect": "Allow"
}
操作lambda:InvokeFunction
适用于lambda函数,而不是IAM角色。因此,资源
应该是lambda的ARN
可能会有更多的问题,目前还不太明显。基本流程是:Account-A中的Lambda函数调用Role-B中的AssumeRole。然后,它使用这些临时凭据调用Lambda-B中的Invoke
。Role-A不需要授予Lambda调用Invoke
的权限,因为Role-A不会用于调用Lamda-B。相反,角色B需要获得调用Lambda-B的权限。