Amazon web services 是否可以在不同的帐户中调用lambda?
我在一个账户上有一个lambda,并附上此保单:Amazon web services 是否可以在不同的帐户中调用lambda?,amazon-web-services,lambda,amazon-cloudformation,Amazon Web Services,Lambda,Amazon Cloudformation,我在一个账户上有一个lambda,并附上此保单: { "Sid": "Id-123", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::115333656057:root"}, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceSchedul
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:root"},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
}
当我从帐户115333656057创建堆栈时,我的用户试图执行lambda,我得到了以下错误:
User: arn:aws:iam::115333656057:user/uguesm is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-central-1:260143830488:function:CentralizedInstanceScheduler-InstanceSchedulerMain
我做错了什么?在帐户260143830488中-编辑您的角色,将策略添加到InvokeFunction,并为另一个帐户添加信任策略 权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
},
]
}
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::260143830488:role/<RoleName>"
}
}
信任关系策略:
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:role/<lambda-role>"},
"Action": "sts:AssumeRole",
}
我创建了所有描述的资源,但省略了一些细节。lambda函数由aws CustomResource
“Resources”:{“OfficehoursSwitzerland”:{“Type”:“Custom::ServiceInstanceSchedule”,“Properties”:{“ServiceToken”:“arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler”上的CloudFormation从帐户115333656057触发,
我似乎无法像通常将InstanceProfile分配给ec2实例那样为该资源分配正确的角色…我猜您在创建堆栈时没有设置角色?您确定在创建堆栈时传递角色吗?
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}