Aws lambda ALB触发器Lamda函数缺少权限CDK
目前,我有一个问题,从ALB调用Lamda函数作为触发器函数。我得到了错误信息,那Aws lambda ALB触发器Lamda函数缺少权限CDK,aws-lambda,permissions,aws-cdk,Aws Lambda,Permissions,Aws Cdk,目前,我有一个问题,从ALB调用Lamda函数作为触发器函数。我得到了错误信息,那 elasticloadbalancing principal does not have permission to invoke arn:aws:lambda:us-east-2:ACN:function API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal does not have permission t
elasticloadbalancing principal does not have permission to
invoke arn:aws:lambda:us-east-2:ACN:function
API: elasticloadbalancingv2:RegisterTargets elasticloadbalancing principal
does not have permission to invoke arn:aws:lambda:us-east-...function:Ddns
from target group arn:aws:elasticloadbalancing:us-east-2:...targetgroup/DdnsL
我假设->我缺少此特定权限:
LambdaFunctionPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !GetAtt LambdaTargetFunction.Arn
Principal: elasticloadbalancing.amazonaws.com
SourceArn: !Ref TargetGroup
但我不知道如何在给定的源代码中包含此权限。是否有人遇到过同样的问题并知道如何解决它?我找到了一种解决方法,在部署堆栈时自动设置权限,而不是创建LambdaALBTarget类,然后调用方法attachToApplicationTargetGroup,只需添加(新的LambDataTarget)将目标添加到负载平衡器时,将自动调用到侦听器->attachToApplicationTargetGroup&AttachOneWorkTargetGroup
listener.addTargets('Targets', {
targets: [new LambdaTarget(fn)]
});
...
这里是创建的调用函数权限(template.json)部分
这是完成的源代码
export class DdnsLamdaApiGateWayCdkStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = Vpc.fromLookup(this, 'global-vpc', {
vpcId: '....',
});
const code = fs.readFileSync('./code.js','utf8');
const dnsRegistrationRole = new Role(this, 'DnsRegRole', {
roleName: 'Lamda-DnsRegRole',
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName('AmazonVPCFullAccess'),
ManagedPolicy.fromAwsManagedPolicyName('AmazonRoute53AutoNamingRegistrantAccess'),
ManagedPolicy.fromAwsManagedPolicyName('AWSLambdaBasicExecutionRole '),
],
inlinePolicies: {
Route53ListHostedZone: new PolicyDocument({
statements: [
new PolicyStatement({
actions: ['route53:ListResourceRecordSets'],
resources: ['arn:aws:route53:::hostedzone/*'],
}),
],
}),
},
assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
});
const dnsRegistrationLambda = new lambda.Function(this, "API", {
handler: 'index.handler',
runtime: Runtime.NODEJS_12_X,
role: dnsRegistrationRole,
code: Code.fromInline(code),
memorySize: 256,
});
const loadBalancerSecurityGroup = new ec2.SecurityGroup(this, "loadBalancer-security-group", {
vpc: vpc,
allowAllOutbound: true,
description: 'loadBalancerSecurityGroup'
});
loadBalancerSecurityGroup.addIngressRule(ec2.Peer.anyIpv4(),ec2.Port.tcp(80),"HTTP");
loadBalancerSecurityGroup.addIngressRule(ec2.Peer.anyIpv4(),ec2.Port.tcp(443),"HTTPS")
const lb = new elbv2.ApplicationLoadBalancer(this, "LoadBalancer", {
vpc,
internetFacing: true,
securityGroup: loadBalancerSecurityGroup
});
const listener = lb.addListener("Listener", {
port: 80,
});
listener.addTargets('Targets', {
targets: [new LambdaTarget(dnsRegistrationLambda)]
});
}
}
基本上,我已经用ALB和Lamda构建了一个无服务器动态DNS系统您检查过Lambda生成的IAM角色了吗?我已经检查了template.json文件:关于I AM角色:“lambdarolePolicy2FC0B982”:{“Type”:“AWS::IAM::Policy”,“Properties”:{“PolicyDocument”:{“Statement”:[{“Action”:“lambda:InvokeFunction”,“Effect”:“Allow”,“资源”:“*”}],“版本”:“2012-10-17”},“策略名称”:“lambdarolePolicy2FC0B982”,“角色”:[“LamdaR”]},我允许每个资源调用该函数。似乎,我的目标组没有调用lamda函数的权限,如何添加这些权限?
"APIInvokeServicePrincipalelasticloadbalancingamazonawscom68C82386": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"API62EA1CFF",
"Arn"
]
},
"Principal": "elasticloadbalancing.amazonaws.com"
},
"Metadata": {
"aws:cdk:path": "DdnsLamdaApiGateWayCdkStack/API/InvokeServicePrincipal(elasticloadbalancing.amazonaws.com)"
}
export class DdnsLamdaApiGateWayCdkStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const vpc = Vpc.fromLookup(this, 'global-vpc', {
vpcId: '....',
});
const code = fs.readFileSync('./code.js','utf8');
const dnsRegistrationRole = new Role(this, 'DnsRegRole', {
roleName: 'Lamda-DnsRegRole',
managedPolicies: [
ManagedPolicy.fromAwsManagedPolicyName('AmazonVPCFullAccess'),
ManagedPolicy.fromAwsManagedPolicyName('AmazonRoute53AutoNamingRegistrantAccess'),
ManagedPolicy.fromAwsManagedPolicyName('AWSLambdaBasicExecutionRole '),
],
inlinePolicies: {
Route53ListHostedZone: new PolicyDocument({
statements: [
new PolicyStatement({
actions: ['route53:ListResourceRecordSets'],
resources: ['arn:aws:route53:::hostedzone/*'],
}),
],
}),
},
assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
});
const dnsRegistrationLambda = new lambda.Function(this, "API", {
handler: 'index.handler',
runtime: Runtime.NODEJS_12_X,
role: dnsRegistrationRole,
code: Code.fromInline(code),
memorySize: 256,
});
const loadBalancerSecurityGroup = new ec2.SecurityGroup(this, "loadBalancer-security-group", {
vpc: vpc,
allowAllOutbound: true,
description: 'loadBalancerSecurityGroup'
});
loadBalancerSecurityGroup.addIngressRule(ec2.Peer.anyIpv4(),ec2.Port.tcp(80),"HTTP");
loadBalancerSecurityGroup.addIngressRule(ec2.Peer.anyIpv4(),ec2.Port.tcp(443),"HTTPS")
const lb = new elbv2.ApplicationLoadBalancer(this, "LoadBalancer", {
vpc,
internetFacing: true,
securityGroup: loadBalancerSecurityGroup
});
const listener = lb.addListener("Listener", {
port: 80,
});
listener.addTargets('Targets', {
targets: [new LambdaTarget(dnsRegistrationLambda)]
});
}
}