Aws lambda 无法在SAM模板中添加策略
我正在使用SAM模板在AWS无服务器存储库中发布我的应用程序。 但当我尝试为lambda添加策略时,会显示错误: 无效的无服务器应用程序规范文档。发现的错误数:1。错误:id为[SyncPostDataFromSfLambda]的资源无效。“策略”属性中仅支持策略模板 下面是我的SAM模板的示例:Aws lambda 无法在SAM模板中添加策略,aws-lambda,serverless,Aws Lambda,Serverless,我正在使用SAM模板在AWS无服务器存储库中发布我的应用程序。 但当我尝试为lambda添加策略时,会显示错误: 无效的无服务器应用程序规范文档。发现的错误数:1。错误:id为[SyncPostDataFromSfLambda]的资源无效。“策略”属性中仅支持策略模板 下面是我的SAM模板的示例: { "AWSTemplateFormatVersion": "2010-09-09", "Transform": "AWS::Serverless-2016-10-31", "
{
"AWSTemplateFormatVersion": "2010-09-09",
"Transform": "AWS::Serverless-2016-10-31",
"Description": "Deployment",
"Resources": {
"SyncPostDataToSfLambda": {
"Type": "AWS::Serverless::Function",
"Properties": {
"Handler": "index.handler",
"FunctionName": "myLambdaFunction",
"CodeUri": "s3 URL",
"Runtime": "nodejs6.10",
"MemorySize": 512,
"Policies": [
"AmazonDynamoDBFullAccess"
],
"Events": {
"PostResource": {
"Type": "Api",
"Properties": {
"RestApiId": {
"Ref": "API"
},
"Path": "/apipath",
"Method": "post"
}
}
}
}
}
}
}
似乎目前只能使用SAM策略模板 AWS在此处维护SAM策略模板的权威信息/概述: 本文档还指出,如果您需要更多AWS资源和/或策略模板,请联系 有关如何使用它们的简要概述和示例,请参见: 以下是发布此答案时当前支持的SAM策略模板的概述:
- sqs聚合策略(提供sqs:DeleteMessage、sqs:ReceiveMessage)
- LambdaInvokePolicy(提供lambda:InvokeFunction)
- cloudwatch PutMetricPolicy(提供cloudwatch:PutMetricData)
- ec2描述策略(提供ec2:DescribeRegions、ec2:DescribeInstance)
- DynamoDBCrudPolicy(提供dynamodb:GetItem、dynamodb:DeleteItem、dynamodb:PutItem、dynamodb:Scan、dynamodb:Query、dynamodb:UpdateItem、dynamodb:BatchWriteItem、dynamodb:BatchGetItem)
- DynamoDBReadPolicy(提供dynamodb:GetItem、dynamodb:Scan、dynamodb:Query、dynamodb:BatchGetItem)
- SESSendBouncePolicy(提供ses:SendBounce)
- ElasticsearchHttpPostPolicy(提供es:ESHttpOppost)
- S3ReadPolicy(提供s3:GetObject、s3:ListBucket、s3:GetBucketLocation、s3:GetObjectVersion、s3:GetLifecycleConfiguration)
- S3CrudPolicy(提供s3:GetObject、s3:ListBucket、s3:GetBucketLocation、s3:GetObjectVersion、s3:PutObject、s3:GetLifecycleConfiguration、s3:PutLifecycleConfiguration)
- 酰胺描述策略(提供ec2:描述图像)
- cloudformation DescripteBacks策略(提供cloudformation:DescripteBacks)
- RekognitionNoDataAccessPolicy(提供rekognition:CompareFaces、rekognition:DetectFaces、rekognition:DetectLabels、rekognition:DetectModerationLabels)
- RekognitionReadPolicy(提供rekognition:ListCollections、rekognition:ListFaces、rekognition:SearchFaces、rekognition:SearchFacesByImage)
- RekognitionWriteOnlyAccess策略(提供rekognition:CreateCollection、rekognition:IndexFaces)
- SQSSendMessagePolicy(提供sqs:SendMessage*)
- SNSPublishMessagePolicy(提供sns:Publish)
- VPCAccessPolicy(提供ec2:CreateNetworkInterface、ec2:DeleteNetworkInterface、ec2:DescribeNetworkInterface、ec2:DetachNetworkInterface)
- DynamoDBStreamReadPolicy(提供dynamodb:DescribeStream、dynamodb:GetRecords、dynamodb:GetShardeter、dynamodb:ListStreams)
- KinesisStreamReadPolicy(提供kinesis:ListStreams、kinesis:DescribeLimits)
- SESCrudPolicy(提供ses:GetIdentity验证属性、ses:SendEmail、ses:VerifyEmailIdentity)
- SNSCrudPolicy(提供sns:ListSubscriptionsByTopic、sns:CreateTopic、sns:SetToPictAttributes、sns:Subscribe、sns:Publish)
- 动弹不得政策(提供kinesis:AddTagsToStream、kinesis:CreateStream、kinesis:DecreateStreamRetentionPeriod、kinesis:DeleteStream、kinesis:DescripteStream、kinesis:GetShardeTerator、kinesis:IncreaseStreamRetentionPeriod、kinesis:ListTagsForStream、kinesis:MergeShards、kinesis:PutRecord、kinesis:SplitShard、kinesis:RemoveTagsFromStream)
- KMSDecryptPolicy(提供kms:Decrypt)
Resources:
SomeFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs8.10
Policies:
- Statement:
- Sid: SSMDescribeParametersPolicy
Effect: Allow
Action:
- ssm:DescribeParameters
Resource: '*'
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
Resource: '*'
参考资料:
以下是官方回购示例中的完整列表
Transform: AWS::Serverless-2016-10-31
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: src/
Handler: index.handler
Runtime: nodejs4.3
Policies:
- SQSPollerPolicy:
QueueName: name
- LambdaInvokePolicy:
FunctionName: name
- CloudWatchPutMetricPolicy: {}
- EC2DescribePolicy: {}
- DynamoDBCrudPolicy:
TableName: name
- DynamoDBReadPolicy:
TableName: name
- SESSendBouncePolicy:
IdentityName: name
- ElasticsearchHttpPostPolicy:
DomainName: name
- S3ReadPolicy:
BucketName: name
- S3CrudPolicy:
BucketName: name
- AMIDescribePolicy: {}
- CloudFormationDescribeStacksPolicy: {}
- RekognitionDetectOnlyPolicy: {}
- RekognitionNoDataAccessPolicy:
CollectionId: id
- RekognitionReadPolicy:
CollectionId: id
- RekognitionWriteOnlyAccessPolicy:
CollectionId: id
- RekognitionLabelsPolicy: {}
- SQSSendMessagePolicy:
QueueName: name
- SNSPublishMessagePolicy:
TopicName: name
- VPCAccessPolicy: {}
- DynamoDBStreamReadPolicy:
TableName: name
StreamName: name
- KinesisStreamReadPolicy:
StreamName: name
- SESCrudPolicy:
IdentityName: name
- SNSCrudPolicy:
TopicName: name
- KinesisCrudPolicy:
StreamName: name
- KMSDecryptPolicy:
KeyId: keyId
- SESBulkTemplatedCrudPolicy:
IdentityName: name
- SESEmailTemplateCrudPolicy: {}
- FilterLogEventsPolicy:
LogGroupName: name
- StepFunctionsExecutionPolicy:
StateMachineName: name
我想授予DynamoDB完全访问权限,请指导我是否有办法授予lambdaThanks Oliver自定义权限,但我必须授予读取DynamoDB流的权限,但我不知道之前的表名。这取决于用户希望连接我的lambda的表。你能帮我吗?谢谢你的时间我不认为,现在这是现成的。但是您可以在创建lambda函数后手动添加角色/权限(使用IAM)。我建议您阅读更多有关此网站实际工作方式的信息。从开始,特别是为什么删除答案。堆栈溢出不是“web”但是一个专业的问答网站,有特定的规则,不允许不阅读和遵守规则的用户。如何为一个策略添加多个资源?假设我想添加多个S3 bucket?