Amazon web services AWS lambda不能承担由cloudformation触发的角色
当通过CloudFormation脚本触发时,Lambda不能承担跨帐户角色 我有一个CloudFormation脚本,它在帐户a中创建并触发Lambda函数。此函数需要从帐户B复制一个对象。我使用的是基于角色的跨帐户访问 关于帐户B,我有以下角色, 出于测试目的,我使用S3完全访问Amazon web services AWS lambda不能承担由cloudformation触发的角色,amazon-web-services,aws-lambda,amazon-cloudformation,assume-role,Amazon Web Services,Aws Lambda,Amazon Cloudformation,Assume Role,当通过CloudFormation脚本触发时,Lambda不能承担跨帐户角色 我有一个CloudFormation脚本,它在帐户a中创建并触发Lambda函数。此函数需要从帐户B复制一个对象。我使用的是基于角色的跨帐户访问 关于帐户B,我有以下角色, 出于测试目的,我使用S3完全访问 CrossAccountAccessRole: Type: 'AWS::IAM::Role' Properties: RoleName: 'CrossAccountAccessRol
CrossAccountAccessRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'CrossAccountAccessRole'
Path: '/'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::<AccountA>:role/CustomerCrossAccountAccessRole'
Action: sts:AssumeRole
CrossAccountAccessPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Path: '/'
ManagedPolicyName: CrossAccountAccessPolicy
Roles:
- !Ref CrossAccountAccessRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:*
但是,如果我在AWS控制台上使用test按钮在测试模式下运行使用CloudFormation脚本创建的同一个Lambda,它将无误地下载该文件
谢谢您的保单包含以下错误: 信任策略应将帐户-A指定为主体,这意味着来自此帐户的授权用户可以使用CrossAccountAccessRole角色。不能直接在策略中指定不同帐户中用户/角色的ARN。 account-A中的管理员必须附加一个策略,该策略允许角色为CrossAccountAccessRole的ARN调用AssumeRole。 确保在创建Lambda时已将CustomerCrossAccountAccessRole分配给它。
你在一些地方写了Account-A,实际上应该是Account-B,但我猜这些都是打字错误 您不需要为此管理跨帐户角色。您可以简单地允许从目标bucket策略中的account-A进行访问。附加lambda角色的权限,您可以直接访问bucket,而无需承担任何角色。转到S3存储桶,转到权限选项卡并单击“存储桶策略”。你的政策看起来像
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "DelegateReadToAccountA",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-A>:root"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
]
}
]
}
虽然这种方法是正确的,但我使用基于角色的跨帐户访问,以避免为每个bucket添加bucket策略。
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
CrossAccountAccessRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'CrossAccountAccessRole'
Path: '/'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: 'arn:aws:iam::<AccountA>:root'
...
- PolicyName: LambdaAssumeRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sts:AssumeRole
Resource: 'arn:aws:iam::<AccountB>:role/CrossAccountAccessRole'
stsresponse = boto_sts_client.assume_role(
RoleSessionName = 'CrossAccountAccessSession',
RoleArn = 'arn:aws:iam::<Account-B>:role/CrossAccountAccessRole',
DurationSeconds = 3000
)
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "DelegateReadToAccountA",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-A>:root"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
]
}
]
}