Amazon web services AWS StepFunctions:通过lambda使用AWS-SDK创建状态机时出错_Amazon Web Services_Aws Lambda_Aws Step Functions_Aws Iam_Amazon Iam

Amazon web services AWS StepFunctions:通过lambda使用AWS-SDK创建状态机时出错

amazon-web-services aws-lambda

Amazon web services AWS StepFunctions:通过lambda使用AWS-SDK创建状态机时出错,amazon-web-services,aws-lambda,aws-step-functions,aws-iam,amazon-iam,Amazon Web Services,Aws Lambda,Aws Step Functions,Aws Iam,Amazon Iam,我正在尝试使用AWS sdk在AWS步骤函数中创建状态机，例如 stepfunctions.createStateMachine(params, function(err, data)... 我在AWS控制台中创建了一个lambda，并添加了创建状态机的代码。我还为角色提供了执行此lambda和创建状态机的权限。我还使用模拟器验证了角色权限，这很好（允许）。但是当我执行lambda时，我得到了AccessDeniedException errorMessage": "User: arn:

我正在尝试使用AWS sdk在AWS步骤函数中创建状态机，例如

stepfunctions.createStateMachine(params, function(err, data)...

我在AWS控制台中创建了一个lambda，并添加了创建状态机的代码。我还为角色提供了执行此lambda和创建状态机的权限。我还使用模拟器验证了角色权限，这很好（允许）。但是当我执行lambda时，我得到了AccessDeniedException

   errorMessage": "User: arn:aws:sts::555555555:assumed-role/SFN_API_role/SFAPITest is not authorized to perform: states:CreateStateMachine on resource: arn:aws:states:us-east-1:555555555:stateMachine:*",
  "errorType": "AccessDeniedException

“SFN_API_角色”是角色，“SFAPIEST”是lambda。以下是定义的策略：

 {
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "states:ListStateMachines",
            "states:ListActivities",
            "states:CreateStateMachine",
            "states:CreateActivity"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "iam:PassRole"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "lambda:*"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "states:DescribeStateMachine",
            "states:StartExecution",
            "states:DeleteStateMachine",
            "states:ListExecutions"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "states:DescribeExecution",
            "states:GetExecutionHistory",
            "states:StopExecution"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "states:DescribeActivity",
            "states:DeleteActivity",
            "states:GetActivityTask",
            "states:SendTaskSuccess",
            "states:SendTaskFailure",
            "states:SendTaskHeartbeat"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

任何指点都很感激

您使用的是

“资源”：[“*”]

而不是

“资源”：“*”

。只需将策略的第一部分更改为以下内容：

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "states:ListStateMachines",
            "states:ListActivities",
            "states:CreateStateMachine",
            "states:CreateActivity"
        ],
        "Resource": "*"
    },
...

我认为日志足够清楚-拒绝访问异常，这意味着您假定的角色没有创建状态机的权限