Amazon web services 使用terraform创建lambda事件源映射时出现拒绝访问错误
我有一个已启用流的现有DynamoDB表。我正在尝试部署一个lambda函数,并使用Terraform将dynamodb添加为触发器 我从受限权限开始,在aws\u lambda\u事件\u源\u映射中出现AccessDenied错误。所以我最终为这个角色授予了lambda和DynamoDB的所有权限,只是为了测试。但我仍然被拒绝访问错误 创建Lambda事件源映射时出错:AccessDeniedException Lambda函数已成功部署。我可以确认dynamodb表的stream_arn也是准确的 这是我的地形脚本:Amazon web services 使用terraform创建lambda事件源映射时出现拒绝访问错误,amazon-web-services,aws-lambda,amazon-dynamodb,terraform,terraform-provider-aws,Amazon Web Services,Aws Lambda,Amazon Dynamodb,Terraform,Terraform Provider Aws,我有一个已启用流的现有DynamoDB表。我正在尝试部署一个lambda函数,并使用Terraform将dynamodb添加为触发器 我从受限权限开始,在aws\u lambda\u事件\u源\u映射中出现AccessDenied错误。所以我最终为这个角色授予了lambda和DynamoDB的所有权限,只是为了测试。但我仍然被拒绝访问错误 创建Lambda事件源映射时出错:AccessDeniedException Lambda函数已成功部署。我可以确认dynamodb表的stream_arn也
resource "aws_iam_role" "lambda_name_role" {
name = "lambda_name_role-test"
assume_role_policy = <<EOF
{
Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_lambda_function" "lambda_function_name" {
filename = "./file.zip"
function_name = "lambda-function-name-test"
role = aws_iam_role.lambda_name_role.arn
handler = "parse.handler"
source_code_hash = filebase64sha256("./file.zip")
memory_size = 512
timeout = 10
runtime = "nodejs12.x"
}
resource "aws_iam_policy" "lambda_dynamodb_access" {
name = "lambda_dynamodb_access_policy_test"
path = "/"
description = "IAM policy for DynamoDB access from lambda"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action": [
"dynamodb:*",
"lambda:*"
],
"Resource":"*"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "lambda_dynamodb_policy_attachment" {
role = aws_iam_role.lambda_name_role.name
policy_arn = aws_iam_policy.lambda_dynamodb_access.arn
}
resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_policy_attachment" {
role = aws_iam_role.aws_iam_role_policy_attachment.name
policy_arn = var.cloudwatch_policy_arn
}
resource "aws_lambda_event_source_mapping" "lambda_trigger_dynamodb" {
event_source_arn = var.dynamodb_table_stream_arn
function_name = aws_lambda_function.lambda_function_name.arn
starting_position = "LATEST"
}
资源“aws\u iam\u角色”“lambda\u名称\u角色”{
name=“lambda\u name\u角色测试”
假设\u role\u policy=您的IAM用户或角色具有什么策略?设置事件源映射需要特定权限。您是否与具有添加事件源映射权限的用户一起运行terraform脚本?您是否可以尝试在“aws\u lambda\u event\u source\u mapping”之前添加时间延迟?如果这样做,您需要添加一个依赖项,直到lambda资源完全可用。@jaredready我是该帐户的管理员,此脚本正在使用在我的帐户下创建的安全凭据运行。@Geeshan我先创建了所有其他组件,然后单独运行事件源映射。但是运气不好。您能创建e吗在控制台中为测试手动释放lambda和表之间的源映射?这将确认您可以创建这样的映射,如果存在一些权限问题,还应生成额外的错误消息。
aws lambda create-event-source-mapping --event-source-arn <dynamodb-stream-arn> --function-name <lambda-function-arn> --enabled --starting-position LATEST
An error occurred (AccessDeniedException) when calling the CreateEventSourceMapping operation: User: <my-arn> is not authorized to perform: lambda:CreateEventSourceMapping on resource: * with an explicit deny