Aws lambda 创建IAM角色时出错:格式错误的策略文档:具有禁止的字段资源
我正在尝试创建一个Lambda角色,并将其附加到允许所有ElasticSearch群集操作的策略 以下是守则-Aws lambda 创建IAM角色时出错:格式错误的策略文档:具有禁止的字段资源,aws-lambda,terraform,amazon-iam,Aws Lambda,Terraform,Amazon Iam,我正在尝试创建一个Lambda角色,并将其附加到允许所有ElasticSearch群集操作的策略 以下是守则- resource "aws_iam_role" "lambda_iam" { name = "lambda_iam" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [{ "Action": [ "es:*
resource "aws_iam_role" "lambda_iam" {
name = "lambda_iam"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "*"
}]
}
EOF
}
resource "aws_lambda_function" "developmentlambda" {
filename = "lambda_function.zip"
function_name = "name"
role = "${aws_iam_role.lambda_iam.arn}"
handler = "exports.handler"
source_code_hash = "${filebase64sha256("lambda_function.zip")}"
runtime = "nodejs10.x"
}
关于资源的Terraform文档说您可以为所有用户指定一个*。Principal字段也不是必需的,因此这不是问题所在。
我还是把它改成了
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "es.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
我的lambda函数定义很简单
resource "aws_lambda_function" "development_lambda" {
filename = "dev_lambda_function.zip"
function_name = "dev_lambda_function_name"
role = "${aws_iam_role.lambda_iam.arn}"
handler = "exports.test"
source_code_hash = "${filebase64sha256("dev_lambda_function.zip")}"
runtime = "nodejs10.x"
}
lambda文件本身没有任何内容,但我不知道这是否解释了错误
这里缺少什么吗?假定角色策略是允许假定角色的角色信任策略,而不是角色授予假定实体的权限的角色权限策略
Lambda执行角色需要这两种类型的策略
立即出现的错误是,Lambda无法承担为函数定义的角色,因为它需要主体:{Service:Lambda.amazonaws.com},而不是es.amazonaws.com,这在权限策略中是存在的。我不使用terraform,但它看起来可能是aws_iam_策略所基于的资源,我假设这是您正在使用的参考。是的,这就是我正在使用的。允许lambda函数具有所有elasticsearch操作权限的最佳方式是什么?这就是我在这里试图做的。任何帮助都将不胜感激。我不久前写下了这个答案,这可能有助于提供一些关于承担角色政策如何适应大局的额外背景:谢谢@MartinAtkins。这很有帮助。
Error creating Lambda function: InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda.
resource "aws_lambda_function" "development_lambda" {
filename = "dev_lambda_function.zip"
function_name = "dev_lambda_function_name"
role = "${aws_iam_role.lambda_iam.arn}"
handler = "exports.test"
source_code_hash = "${filebase64sha256("dev_lambda_function.zip")}"
runtime = "nodejs10.x"
}