Aws lambda 指定允许在其AWS SAM函数模板中调用函数的资源
TL;DR:我应该如何编辑下面的模板,以便它可以由用户池触发器触发 我尝试为Lambda函数包装一个CloudFormation模板,定义函数可以调用和可以从中调用的服务。它应该使用Cognito用户池触发器运行 为此,我在模板中定义了Aws lambda 指定允许在其AWS SAM函数模板中调用函数的资源,aws-lambda,amazon-iam,aws-sam,Aws Lambda,Amazon Iam,Aws Sam,TL;DR:我应该如何编辑下面的模板,以便它可以由用户池触发器触发 我尝试为Lambda函数包装一个CloudFormation模板,定义函数可以调用和可以从中调用的服务。它应该使用Cognito用户池触发器运行 为此,我在模板中定义了AWS::Serverless::Function类型的资源,简要如下。注意策略部分: Resources: MyFunctionResource: Type: AWS::Serverless::Function Properties:
AWS::Serverless::Function
类型的资源,简要如下。注意策略
部分:
Resources:
MyFunctionResource:
Type: AWS::Serverless::Function
Properties:
FunctionName: MyFunctionName
CodeUri: ./
Handler: "lambda_function.lambda_handler"
MemorySize: 128
Runtime: python3.7
Timeout: 3
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-idp:*"
- "logs:*"
...
Resource: "*"
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action: "lambda:InvokeFunction"
Principal:
Service: cognito-idp.amazonaws.com
Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:MyFunctionName"
我插入的用于限制资源的第二个策略可以在堆栈创建期间调用我的函数失败:
策略文档不应指定主体。(服务:AmazonIdentityManagement;状态代码:400;错误代码:格式错误的策略文档;请求ID:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx)
当我使用主体删除该策略时,通过用户池触发器对函数的访问将被拒绝。我发现应该将权限创建为一个单独的资源,其类型可以采用函数名或它将附加到的arn 因此,以下逻辑成功地创建了具有权限的函数(也称为函数策略):
Resources:
MyFunctionResource:
Type: AWS::Serverless::Function
Properties:
FunctionName: MyFunctionName
CodeUri: ./
Handler: "lambda_function.lambda_handler"
MemorySize: 128
Runtime: python3.7
Timeout: 3
Policies:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "cognito-idp:*"
- "logs:*"
...
Resource: "*"
## Remove this section
# - Version: "2012-10-17"
# Statement:
# - Effect: Allow
# Action: "lambda:InvokeFunction"
# Principal:
# Service: cognito-idp.amazonaws.com
# Resource: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:MyFunctionName"
## Add this instead
MyFunctionPermissions:
Type: AWS::Lambda::Permission
Properties:
Action: "lambda:InvokeFunction"
FunctionName: !GetAtt MyFunctionResource.Arn
Principal: "cognito-idp.amazonaws.com"
SourceArn: !Sub "arn:aws:cognito-idp:${AWS::Region}:${AWS::AccountId}:userpool/*"