Amazon web services 如何在创建lambda时获得cloudformation创建的角色
以下是我在cloudformation中的lambda定义:Amazon web services 如何在创建lambda时获得cloudformation创建的角色,amazon-web-services,aws-lambda,amazon-cloudformation,aws-sam,Amazon Web Services,Aws Lambda,Amazon Cloudformation,Aws Sam,以下是我在cloudformation中的lambda定义: CommandTopic: Type: AWS::SNS::Topic Properties: DisplayName: 'ns-poc-commands' TopicName: 'ns-poc-commands' SendMessage: Type: AWS::Serverless::Function Properties: CodeUri: send_lambda
CommandTopic:
Type: AWS::SNS::Topic
Properties:
DisplayName: 'ns-poc-commands'
TopicName: 'ns-poc-commands'
SendMessage:
Type: AWS::Serverless::Function
Properties:
CodeUri: send_lambda
Handler: app.lambda_handler
Runtime: python3.7
FunctionName: send_message
MemorySize: 128
Timeout: 15
Policies:
- SNSPublishMessagePolicy:
TopicName: !Ref CommandTopic
现在我希望我的lambda能够将消息发布回CommandTopic,为此,我需要一个关于该主题的访问策略,该策略允许:
CommandTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: SnsTopicPolicy
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sns:Publish
Resource: !Ref CommandTopic
Condition:
ArnEquals:
aws:SourceArn: !Ref SendMessage
- Sid: SnsRolePolicy
Effect: Allow
Principal:
AWS: !Ref SendMessageRole # -- 1
Action: sns:Publish
Resource: !Ref CommandTopic
Topics:
- Ref: CommandTopic
因此,我需要给主题一个指令,允许分配给我的lambda的用户向其发布消息
考虑由--1引用的行。实际上,它不起作用,因为该引用不可用
所以我不知道如何访问创建的角色。。。我不希望自己创建角色,因为这只会使事情变得更复杂,而且工作更繁重……根据文档,您必须将角色ARN作为主要值传递。现在您正在尝试传递角色名称(
!Ref sendmagesrole
)
如果角色信任策略中的主要元素包含
指向特定的IAM角色
有关更多信息,请查看
为了解决引用不存在的第二个问题,我建议在CommandTopicPolicy
资源中添加一个DependsOn
选项
它可能会如下所示
CommandTopicPolicy:
Type: AWS::SNS::TopicPolicy
DependsOn:
- SendMessage
Properties:
Topics:
- Ref: CommandTopic
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: SnsTopicPolicy
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sns:Publish
Resource: !Ref CommandTopic
Condition:
ArnEquals:
aws:SourceArn: !GetAtt SendMessage.Arn
- Sid: SnsRolePolicy
Effect: Allow
Principal:
AWS: !GetAtt SendMessageRole.Arn
Action: sns:Publish
Resource: !Ref CommandTopic
您是否有理由不想简单地修改Lambda函数的IAM策略,以便在sns主题ARN上包含sns:Publish?与其从SNS资源策略反向工作,还不如将访问策略添加到SNS topicand中。除此之外,我有这样一个功能:SendMessageLambda有一个嵌入式SNSPublishMessagePolicy,我应该更多地使用SAM和SNS;-)您是否可以为Lambda函数创建IAM角色作为模板中的显式资源,而不是让SAM自动生成它,然后简单地引用
角色:!在Lambda函数和主题策略中获取att SendMessageRole.Arn
?或者也许可以找出SAM的自动生成命名策略,以便您可以推断策略资源名称或策略ARN?