Amazon web services 试图从Lambda调用APIG时,用户无权在资源上执行:execute api:Invoke
我正在尝试将Aws帐户a中的Lambda连接到帐户B中托管的API网关。 为此,我在帐户B中创建了一个IAM角色,其策略如下所示:Amazon web services 试图从Lambda调用APIG时,用户无权在资源上执行:execute api:Invoke,amazon-web-services,aws-lambda,aws-api-gateway,amazon-iam,Amazon Web Services,Aws Lambda,Aws Api Gateway,Amazon Iam,我正在尝试将Aws帐户a中的Lambda连接到帐户B中托管的API网关。 为此,我在帐户B中创建了一个IAM角色,其策略如下所示: { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Resource&quo
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:us-west-2:*:*/*/*/GET/someApi/{ID}"
],
"Effect": "Allow"
}
]
}
我在白名单帐户a的角色中添加了信任关系,其形式如下
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountA:root"
},
"Action": "sts:AssumeRole"
}
]
}
现在在帐户A中,在Lambdas执行角色中,我添加了一个策略,允许它以以下形式承担在帐户B中创建的角色:
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::accountB:role/roleNameCreatedInAccountB",
"Effect": "Allow"
}
那么为什么我尝试从Lambda调用API,我会得到以下错误:
User: arn:aws:sts::accouuntB:assumed-role/roleNameCreatedInAccountB/SessionName is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:***********9:xxxx/beta/GET/someApi/12274e6b-e051-4073-b157-949893d8ae84 (Service: xxx; Status Code: 403; Error Code: AccessDeniedException; Request ID: 59e73e4f-eee4-485f-8975-b2e08eed90f5; Proxy: null)
什么是API执行角色,以及您究竟是如何尝试调用API的?