Amazon web services 使用terraform创建lambda事件源映射时出现拒绝访问错误_Amazon Web Services_Aws Lambda_Amazon Dynamodb_Terraform_Terraform Provider Aws

Amazon web services 使用terraform创建lambda事件源映射时出现拒绝访问错误

amazon-web-services aws-lambda amazon-dynamodb terraform

Amazon web services 使用terraform创建lambda事件源映射时出现拒绝访问错误,amazon-web-services,aws-lambda,amazon-dynamodb,terraform,terraform-provider-aws,Amazon Web Services,Aws Lambda,Amazon Dynamodb,Terraform,Terraform Provider Aws,我有一个已启用流的现有DynamoDB表。我正在尝试部署一个lambda函数，并使用Terraform将dynamodb添加为触发器我从受限权限开始，在aws\u lambda\u事件\u源\u映射中出现AccessDenied错误。所以我最终为这个角色授予了lambda和DynamoDB的所有权限，只是为了测试。但我仍然被拒绝访问错误创建Lambda事件源映射时出错：AccessDeniedException Lambda函数已成功部署。我可以确认dynamodb表的stream_arn也

我有一个已启用流的现有DynamoDB表。我正在尝试部署一个lambda函数，并使用Terraform将dynamodb添加为触发器

我从受限权限开始，在aws\u lambda\u事件\u源\u映射中出现AccessDenied错误。所以我最终为这个角色授予了lambda和DynamoDB的所有权限，只是为了测试。但我仍然被拒绝访问错误

创建Lambda事件源映射时出错：AccessDeniedException

Lambda函数已成功部署。我可以确认dynamodb表的stream_arn也是准确的

这是我的地形脚本：

resource "aws_iam_role" "lambda_name_role" {
    name = "lambda_name_role-test"

   assume_role_policy = <<EOF
   {
       Version": "2012-10-17",
      "Statement": [
      {
          "Action": "sts:AssumeRole",
          "Principal": {
           "Service": "lambda.amazonaws.com"
          },
          "Effect": "Allow",
          "Sid": ""
      }
  ]
}
EOF
}

resource "aws_lambda_function" "lambda_function_name" {
  filename      = "./file.zip"
  function_name = "lambda-function-name-test"
  role          = aws_iam_role.lambda_name_role.arn
  handler       = "parse.handler"

  source_code_hash = filebase64sha256("./file.zip")
  memory_size      = 512
  timeout          = 10
  runtime          = "nodejs12.x"
}

resource "aws_iam_policy" "lambda_dynamodb_access" {
  name        = "lambda_dynamodb_access_policy_test"
  path        = "/"
  description = "IAM policy for DynamoDB access from lambda"

  policy = <<EOF
{
    "Version": "2012-10-17",
        "Statement": [
            {
                "Effect":"Allow",
                "Action": [
                    "dynamodb:*",
                    "lambda:*"
                ],
                "Resource":"*"
            }
        ]

}
EOF
}

resource "aws_iam_role_policy_attachment" "lambda_dynamodb_policy_attachment" {
  role       = aws_iam_role.lambda_name_role.name
  policy_arn = aws_iam_policy.lambda_dynamodb_access.arn
}

resource "aws_iam_role_policy_attachment" "lambda_cloudwatch_policy_attachment" {
  role       = aws_iam_role.aws_iam_role_policy_attachment.name
  policy_arn = var.cloudwatch_policy_arn
}

resource "aws_lambda_event_source_mapping" "lambda_trigger_dynamodb" {
  event_source_arn  = var.dynamodb_table_stream_arn
  function_name     = aws_lambda_function.lambda_function_name.arn
  starting_position = "LATEST"
}

资源“aws\u iam\u角色”“lambda\u名称\u角色”{
name=“lambda\u name\u角色测试”
假设\u role\u policy=您的IAM用户或角色具有什么策略？设置事件源映射需要特定权限。您是否与具有添加事件源映射权限的用户一起运行terraform脚本？您是否可以尝试在“aws\u lambda\u event\u source\u mapping”之前添加时间延迟？如果这样做，您需要添加一个依赖项，直到lambda资源完全可用。@jaredready我是该帐户的管理员，此脚本正在使用在我的帐户下创建的安全凭据运行。@Geeshan我先创建了所有其他组件，然后单独运行事件源映射。但是运气不好。您能创建e吗在控制台中为测试手动释放lambda和表之间的源映射？这将确认您可以创建这样的映射，如果存在一些权限问题，还应生成额外的错误消息。
aws lambda create-event-source-mapping --event-source-arn <dynamodb-stream-arn> --function-name <lambda-function-arn> --enabled --starting-position LATEST

An error occurred (AccessDeniedException) when calling the CreateEventSourceMapping operation: User: <my-arn> is not authorized to perform: lambda:CreateEventSourceMapping on resource: * with an explicit deny