Amazon web services 更新堆栈以添加S3触发器时出错
我使用cloudformation堆栈成功地创建了lambda函数和S3 bucket。然后,我对堆栈进行了更新,向S3 bucket添加了一个触发器,以调用lambda函数 当我运行更新时,会出现以下错误:Amazon web services 更新堆栈以添加S3触发器时出错,amazon-web-services,amazon-s3,aws-lambda,Amazon Web Services,Amazon S3,Aws Lambda,我使用cloudformation堆栈成功地创建了lambda函数和S3 bucket。然后,我对堆栈进行了更新,向S3 bucket添加了一个触发器,以调用lambda函数 当我运行更新时,会出现以下错误: Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: XXXXX
Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: XXXXX; S3 Extended Request ID: XXXXX
这是我用来将触发器添加到S3 bucket的更新JSON:
"MyBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "my-bucket",
"NotificationConfiguration": {
"LambdaConfigurations": [
{
"Event": "s3:ObjectCreated:*",
"Function": "arn:aws:lambda:ap-southeast-2:my-lambda-arn"
}
]
}
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "<optional>",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "<ArnToYourFunction>",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "<YourAccountId>"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::<YourBucketName>"
}
}
}
]
}
然后,我添加了一个IAM角色,以允许访问S3 bucket来调用lambda函数:
"ResourceAccess": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "giveaccesstodeltas3",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-southeast-2:my-lambda-arn",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::my-bucket"
}
}
}
]
}
}
]
}
它给出了一个错误,说:
Policy document should not specify a principal. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: XXXXXX)
为了添加这个触发器,您必须给予S3 bucket调用lambda函数的权限。此外,您的lambda必须具有调用其影响的任何服务的权限。我猜您缺少要授予的第一个权限: S3 bucket调用lambda函数的权限 您可以创建类似于以下内容的策略,以向S3存储桶授予适当的权限:
"MyBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "my-bucket",
"NotificationConfiguration": {
"LambdaConfigurations": [
{
"Event": "s3:ObjectCreated:*",
"Function": "arn:aws:lambda:ap-southeast-2:my-lambda-arn"
}
]
}
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "<optional>",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "<ArnToYourFunction>",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "<YourAccountId>"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::<YourBucketName>"
}
}
}
]
}
{
“版本”:“2012-10-17”,
“Id”:“默认值”,
“声明”:[
{
“Sid”:“,
“效果”:“允许”,
“委托人”:{
“服务”:“s3.amazonaws.com”
},
“操作”:“lambda:InvokeFunction”,
“资源”:"有关详细信息。函数不存在或arn无效?我直接从函数中复制并粘贴了arn感谢您的回答。我添加了一个策略,但在部署时出现了更新问题中显示的错误。您是否尝试从策略中删除主体定义?是的,没有主体it错误:缺少要求红场校长