Amazon web services 试图从Lambda调用APIG时，用户无权在资源上执行：execute api:Invoke_Amazon Web Services_Aws Lambda_Aws Api Gateway_Amazon Iam

Amazon web services 试图从Lambda调用APIG时，用户无权在资源上执行：execute api:Invoke

amazon-web-services aws-lambda

Amazon web services 试图从Lambda调用APIG时，用户无权在资源上执行：execute api:Invoke,amazon-web-services,aws-lambda,aws-api-gateway,amazon-iam,Amazon Web Services,Aws Lambda,Aws Api Gateway,Amazon Iam,我正在尝试将Aws帐户a中的Lambda连接到帐户B中托管的API网关。为此，我在帐户B中创建了一个IAM角色，其策略如下所示： { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Resource&quo

我正在尝试将Aws帐户a中的Lambda连接到帐户B中托管的API网关。为此，我在帐户B中创建了一个IAM角色，其策略如下所示：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:us-west-2:*:*/*/*/GET/someApi/{ID}"
            ],
            "Effect": "Allow"
        }
    ]
}

我在白名单帐户a的角色中添加了信任关系，其形式如下

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::accountA:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

现在在帐户A中，在Lambdas执行角色中，我添加了一个策略，允许它以以下形式承担在帐户B中创建的角色：

{
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::accountB:role/roleNameCreatedInAccountB",
            "Effect": "Allow"
        }

那么为什么我尝试从Lambda调用API，我会得到以下错误：

User: arn:aws:sts::accouuntB:assumed-role/roleNameCreatedInAccountB/SessionName is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:***********9:xxxx/beta/GET/someApi/12274e6b-e051-4073-b157-949893d8ae84 (Service: xxx; Status Code: 403; Error Code: AccessDeniedException; Request ID: 59e73e4f-eee4-485f-8975-b2e08eed90f5; Proxy: null)

什么是API执行角色，以及您究竟是如何尝试调用API的？