Aws lambda 指定允许在其AWS SAM函数模板中调用函数的资源
TL;DR:我应该如何编辑下面的模板,以便它可以由用户池触发器触发 我尝试为Lambda函数包装一个CloudFormation模板,定义函数可以调用和可以从中调用的服务。它应该使用Cognito用户池触发器运行 为此,我在模板中定义了Aws lambda 指定允许在其AWS SAM函数模板中调用函数的资源,aws-lambda,amazon-iam,aws-sam,Aws Lambda,Amazon Iam,Aws Sam,TL;DR:我应该如何编辑下面的模板,以便它可以由用户池触发器触发 我尝试为Lambda函数包装一个CloudFormation模板,定义函数可以调用和可以从中调用的服务。它应该使用Cognito用户池触发器运行 为此,我在模板中定义了AWS::Serverless::Function类型的资源,简要如下。注意策略部分: Resources: MyFunctionResource: Type: AWS::Serverless::Function Properties:
AWS::Serverless::Function策略Resources:
MyFunctionResource:
Type: AWS::Serverless::Function
Properties:
FunctionName: MyFunctionName
CodeUri: ./
Handler: "lambda_function.lambda_handler"
MemorySize: 128
Runtime: python3.7
Timeout: 3
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-idp:*"
- "logs:*"
...
Resource: "*"
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "lambda:InvokeFunction"
Principal:
Service: cognito-idp.amazonaws.com
Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:MyFunctionName"
当我使用主体删除该策略时,通过用户池触发器对函数的访问将被拒绝。我发现应该将权限创建为一个单独的资源,其类型可以采用函数名或它将附加到的arn 因此,以下逻辑成功地创建了具有权限的函数(也称为函数策略):
Resources:
MyFunctionResource:
Type: AWS::Serverless::Function
Properties:
FunctionName: MyFunctionName
CodeUri: ./
Handler: "lambda_function.lambda_handler"
MemorySize: 128
Runtime: python3.7
Timeout: 3
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-idp:*"
- "logs:*"
...
Resource: "*"
## Remove this section
# - Version: "2012-10-17"
# Statement:
# - Effect: Allow
# Action: "lambda:InvokeFunction"
# Principal:
# Service: cognito-idp.amazonaws.com
# Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:MyFunctionName"
## Add this instead
MyFunctionPermissions:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !GetAtt MyFunctionResource.Arn
Principal: "cognito-idp.amazonaws.com"
SourceArn: !Sub "arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*"