使用 Cloudformation 创建技能时出错

Question

我有一个月的时间开发 alexa 技能，然后想通过 Cloudformation 创建。为此，我正在使用这个：

Lambda 函数

{
   "AWSTemplateFormatVersion": "2010-09-09",
   "Description": "Lambda Function from Cloud Formation by Felix Vazquez",
   "Resources": {
      "Lambda1": {
         "Type": "AWS::Lambda::Function",
         "Properties": {
            "Code": {
               "S3Bucket": "felix-lambda-code",
               "S3Key": "hello_lambda.zip"
            },
            "Description": "Test with Cloud Formation",
            "FunctionName": "Felix-hello-world1234",
            "Handler": "lambda_function.lambda_handler",
            "Role": "arn:aws:iam::776831754616:role/testRol",
            "Runtime": "python2.7"
         }
      }
   }
}

Alexa 技能

"Resources": {
        "23LT3": {
            "Type": "Alexa::ASK::Skill",
            "Properties": {
                "AuthenticationConfiguration": {
                    "ClientId": "+my client ID+",
                    "ClientSecret": "+my client Secret+",
                    "RefreshToken": "+The token i generate via lwa+"
                },
                "VendorId": "+my vendor ID+",
                "SkillPackage": {
                    "S3Bucket": "myskillpackagebucket",
                    "S3Key": "my_function10.zip",
                    "S3BucketRole": {
                        "Fn::GetAtt": [
                            "IAMRU6TJ",
                            "Arn"
                        ]
                    },
                    "Overrides": {
                        "Manifest": {
                            "apis": {
                                "custom": {
                                    "endpoint": {
                                        "uri": {
                                            "Fn::GetAtt": [
                                                "Lambda1",
                                                "Arn"
                                            ]
}}}}}}}}

IAM 角色

{
    "Resources": {
        "IAMRU6TJ": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "s3.amazonaws.com",
                                    "lambda.amazonaws.com"
                                ]
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                },
                "Path": "/",
                "Policies": [
                    {
                        "PolicyName": "root",
                        "PolicyDocument": {
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": "*",
                                    "Resource": "*"
}]}}]}}}}

技能取决于 lambda 和 IAM 角色。当我 "Create the Stack" 几秒钟后它给了我这个错误：

无法担任提供的角色。原因：访问被拒绝（服务：AWSSecurityTokenService；状态代码：403；错误代码：AccessDenied；请求 ID：b2e8762c-2593-11e9-b3ec-872599411915）

我使用的 Token

ask util generate-lwa-tokens --scope "alexa::ask:skills:readwrite alexa::ask:models:readwrite profile”

活动图片：

Event after execution

Answer 1

您的 Alexa::ASK::Skill 资源：23LT3['Properties']['SkillPackage']['S3BucketRole']

文档说授予 Alexa 服务访问存储桶和检索技能包权限的角色的 ARN。此角色是可选的，如果未提供，则必须为存储桶配置允许此访问的策略，或者可以公开访问，以便 AWS CloudFormation 创建技能。

当前您的角色允许 s3.amazonaws.com 和 lambda.amazonaws.com 代入可以在您的 AWS 账户中执行任何操作的角色，但是您需要允许 "The Alexa Service the permission..."

最佳做法是使用最少的必要权限，但如果您只是测试一下，我就明白了。

Answer 2

我努力在任何地方找到必要的细节记录。这是我用来实现此功能的角色。

  AlexaReadRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - alexa-appkit.amazon.com
            Sid: AllowServiceToAssumeRole
        Version: 2012-10-17
      Policies:
        - PolicyName: "AlexaS3Read"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action: "s3:GetObject"
                Resource: "arn:aws:s3:::<bucket-name>/<path-to-alexa-files>/*"
    Type: AWS::IAM::Role

使用 Cloudformation 创建技能时出错

Error creating a skill with Cloudformation

amazon-web-services

amazon-cloudformation

aws-lambda

alexa-skill