Aws lambda 如何配置AWS lambda执行角色以能够列出批处理作业?
我在正确配置Lambda以运行批处理作业时遇到问题。代码如下所示:Aws lambda 如何配置AWS lambda执行角色以能够列出批处理作业?,aws-lambda,aws-batch,aws-iam,Aws Lambda,Aws Batch,Aws Iam,我在正确配置Lambda以运行批处理作业时遇到问题。代码如下所示: client = boto3.client('batch') _job_queue = os.environ['JOB_QUEUE'] _job_definition = os.environ['JOB_DEFINITION'] _job_name = os.environ['START_JOB_NAME'] def lambda_handler(event, context): return start_job()
client = boto3.client('batch')
_job_queue = os.environ['JOB_QUEUE']
_job_definition = os.environ['JOB_DEFINITION']
_job_name = os.environ['START_JOB_NAME']
def lambda_handler(event, context):
return start_job()
def start_job():
response = client.list_jobs(jobQueue=_job_queue)
if _job_name in [job.jobName for job in response['jobSummaryList']]:
return 200
try:
client.submit_job(jobName=_job_name, jobQueue=_job_queue, jobDefinition=_job_definition)
return 201
except:
return 400
在客户端上失败。列出作业(作业队列=\u作业队列),出现以下错误:
“errorMessage”:“发生错误(AccessDeniedException)时
调用ListJobs操作:用户:
arn:aws:sts::749340585813:假定角色/myproject/dev-StartJobLambda-HZO22Z5IMTFB
未被授权对资源执行:批处理:列表作业:
arn:aws:batch:us-west-2:749340585813:/v1/listjobs“
如果我将我的访问密钥添加到上面的lambda,它就可以正常工作。我假设这是因为我有管理员权限,并且作为我的用户进行身份验证会给lambda我的权限
我的lambda定义如下所示:
"StartJobLambda": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Description": "Starts the My Project model training job.",
"Role": {
"Fn::GetAtt": [
"StartJobRole",
"Arn"
]
},
"Runtime": "python3.6",
"Handler": {
"Fn::Sub": "${StartJobModule}.lambda_handler"
},
"Tags": [
{
"Key": "environment",
"Value": {
"Ref": "Environment"
}
},
{
"Key": "project",
"Value": "myproject"
}
],
"Environment": {
"Variables": {
"JOB_QUEUE": {
"Ref": "JobQueue"
},
"JOB_DEFINITION": {
"Ref": "TrainingJob"
}
}
},
"Code": {
"S3Bucket": {
"Ref": "CodeBucket"
},
"S3Key": {
"Ref": "StartJobKey"
}
},
"VpcConfig": {
"SubnetIds": [
{
"Fn::ImportValue": {
"Fn::Sub": "${NetworkStackNameParameter}-PrivateSubnet"
}
},
{
"Fn::ImportValue": {
"Fn::Sub": "${NetworkStackNameParameter}-PrivateSubnet2"
}
}
],
"SecurityGroupIds": [
{
"Fn::ImportValue": {
"Fn::Sub": "${NetworkStackNameParameter}-TemplateSecurityGroup"
}
}
]
}
}
}
还将创建以下角色和策略:
"StartJobRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "myproject-start-job",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/"
}
},
"StartJobBatchPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "start-job-batch-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"batch:ListJobs",
"batch:SubmitJob"
],
"Resource": [
{
"Ref": "JobQueue"
}
]
}
]
},
"Roles": [
{
"Ref": "StartJobRole"
}
]
}
}
此外,还有一个使lambda能够在VPC上运行的角色:
"LambdaVPCExecutionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "myproject-lambda-vpc-execution-role",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/"
}
},
"LambdaVPCExecutionPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda-vpc-execution-policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
}
]
},
"Roles": [
{
"Ref": "LambdaVPCExecutionRole"
},
{
"Ref": "StartJobRole"
}
]
}
},
这是CloudFormation需要改进的地方某些AWS服务不允许资源级权限,但当您尝试创建它们时,您的堆栈将成功。对于IAM相关问题,有时您需要进入控制台,验证您的策略未处于警告状态。至少,AWS将标记尝试对不允许的服务应用资源级别权限的策略
例如,对于DynamoDB,必须授予对所有表的访问权。您不能将访问限制或重新限制到单个表。如果尝试创建cloudformation IAM策略,它不会失败,但不会达到预期效果。创建此堆栈后,如果在IAM中的“角色”下查看,是否可以确认ListJobs操作已授权用于资源级别权限?在“IAM角色”下,我看到我的lambda执行角色以及附加的策略。策略StartJobBatchPolicy列出了作业队列资源的“batch:ListJobs”操作,它是可见的。当我使用策略编辑器时,它表示不允许我指定资源。它创建了一个适用于所有资源的策略(例如Resource:“*”)。我将尝试使用上面提到的“Resource”更改重新创建它。谢谢,这为我指明了正确的方向。这个小小的变化解决了这个问题。难以置信!:)