AWS + serverless - (InvalidPermission.NotFound) 该安全组中不存在指定的规则
AWS + serverless - (InvalidPermission.NotFound) The specified rule does not exist in this security group
我创建了一个小脚本来与 AWS 交互,更新安全组和 EC2 实例。此脚本在我的机器上运行良好,但在 AWS lambda 控制台上测试时遇到问题。
我正在使用无服务器将 lambda 函数部署到 Amazon Web 服务。我还为这个新的 lambda 函数创建了一个 IAM 角色。
我遇到的错误是 (InvalidPermission.NotFound) 错误。完整的错误堆栈如下所示。
错误:
An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.: ClientError
Traceback (most recent call last):
File "/var/task/ipm.py", line 205, in handler
main()
File "/var/task/ipm.py", line 197, in main
sg_ips_remove(to_remove, state_sg, state_ping)
File "/var/task/ipm.py", line 140, in sg_ips_remove
update_security_group("revoke", sg_id, sg_ips, state_ping) # run script to authorize/revoke ip access
File "/var/task/ipm.py", line 53, in update_security_group
sg.update_sg_traffic(sg_rules=obj, sg_id=group_id, update_type=update_type)
File "/var/task/sg.py", line 77, in update_sg_traffic
ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
File "/var/task/botocore/client.py", line 320, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/task/botocore/client.py", line 623, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.
此错误发生在以下代码段上。再一次,这段代码在我的机器上运行良好,但在 lambda 函数测试期间引发了错误。
def update_sg_traffic(sg_id, sg_rules, update_type="authorize"):
""" Update the inbound traffic associated to a SG. It is possible to add or remove IPs from the SG.
"""
assert update_type in ["authorize", "revoke"]
ec2 = boto3.client('ec2')
if update_type == "authorize":
ec2.authorize_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
else:
ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
我觉得这个错误很奇怪,因为它抱怨规则 RevokeSecurityGroupIngress,我已将其添加到 serverless.yaml 文件中指定的 IAM 角色,如下所示。
service: ${self:custom.resourcePrefix}-pingdom-updater
custom:
resourcePrefix: ${self:provider.stage}use1
provider:
stage: ${opt:stage, 's'}
name: aws
runtime: python3.6
memorySize: 128
iamRoleStatements:
- Effect: Allow
Action:
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateSecurityGroup
- ec2:DeleteSecurityGroup
- ec2:DescribeInstanceAttribute
- ec2:DescribeInstanceStatus
- ec2:DescribeInstances
- ec2:DescribeNetworkAcls
- ec2:DescribeSecurityGroups
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
Resource: "*"
functions:
pingdomUpdater:
handler: ipm.handler
events:
- schedule:
name: ${self:service}-schedule
description: ""
rate: rate(1 day)
plugins:
- serverless-python-requirements
serverless.yaml
有谁知道我为什么会遇到这个错误?
我感谢我能得到的任何帮助。谢谢。
您混淆了 IAM 角色和 VPC 安全组。
您收到的错误意味着指定的安全组不存在安全组规则。这与 IAM 角色无关。
如果您的目标是添加/删除 IAM 角色的权限,那么您将需要重写代码来处理 IAM 策略。
我创建了一个小脚本来与 AWS 交互,更新安全组和 EC2 实例。此脚本在我的机器上运行良好,但在 AWS lambda 控制台上测试时遇到问题。
我正在使用无服务器将 lambda 函数部署到 Amazon Web 服务。我还为这个新的 lambda 函数创建了一个 IAM 角色。
我遇到的错误是 (InvalidPermission.NotFound) 错误。完整的错误堆栈如下所示。
错误:
An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.: ClientError
Traceback (most recent call last):
File "/var/task/ipm.py", line 205, in handler
main()
File "/var/task/ipm.py", line 197, in main
sg_ips_remove(to_remove, state_sg, state_ping)
File "/var/task/ipm.py", line 140, in sg_ips_remove
update_security_group("revoke", sg_id, sg_ips, state_ping) # run script to authorize/revoke ip access
File "/var/task/ipm.py", line 53, in update_security_group
sg.update_sg_traffic(sg_rules=obj, sg_id=group_id, update_type=update_type)
File "/var/task/sg.py", line 77, in update_sg_traffic
ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
File "/var/task/botocore/client.py", line 320, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/task/botocore/client.py", line 623, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (InvalidPermission.NotFound) when calling the RevokeSecurityGroupIngress operation: The specified rule does not exist in this security group.
此错误发生在以下代码段上。再一次,这段代码在我的机器上运行良好,但在 lambda 函数测试期间引发了错误。
def update_sg_traffic(sg_id, sg_rules, update_type="authorize"):
""" Update the inbound traffic associated to a SG. It is possible to add or remove IPs from the SG.
"""
assert update_type in ["authorize", "revoke"]
ec2 = boto3.client('ec2')
if update_type == "authorize":
ec2.authorize_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
else:
ec2.revoke_security_group_ingress(GroupId=sg_id, IpPermissions=sg_rules)
我觉得这个错误很奇怪,因为它抱怨规则 RevokeSecurityGroupIngress,我已将其添加到 serverless.yaml 文件中指定的 IAM 角色,如下所示。
service: ${self:custom.resourcePrefix}-pingdom-updater
custom:
resourcePrefix: ${self:provider.stage}use1
provider:
stage: ${opt:stage, 's'}
name: aws
runtime: python3.6
memorySize: 128
iamRoleStatements:
- Effect: Allow
Action:
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CreateSecurityGroup
- ec2:DeleteSecurityGroup
- ec2:DescribeInstanceAttribute
- ec2:DescribeInstanceStatus
- ec2:DescribeInstances
- ec2:DescribeNetworkAcls
- ec2:DescribeSecurityGroups
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
Resource: "*"
functions:
pingdomUpdater:
handler: ipm.handler
events:
- schedule:
name: ${self:service}-schedule
description: ""
rate: rate(1 day)
plugins:
- serverless-python-requirements
serverless.yaml
有谁知道我为什么会遇到这个错误? 我感谢我能得到的任何帮助。谢谢。
您混淆了 IAM 角色和 VPC 安全组。
您收到的错误意味着指定的安全组不存在安全组规则。这与 IAM 角色无关。
如果您的目标是添加/删除 IAM 角色的权限,那么您将需要重写代码来处理 IAM 策略。