无服务器:[AWS] 无法使用策略创建角色资源
Serverless: [AWS] Unable to create role resource with policy
我正在学习如何使用无服务器框架,我正在创建一些特定功能将承担的角色,但 cloudformation 抛出错误指示:
An error occurred: LambdaAdminRole - Unknown field Policies (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 07cb3916-78c5-11e9-b0f6-37c9c6cd9547).
serverless中资源的定义方式是这样的:
resources:
Resources:
LambdaAdminRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:provider.stage}-lambda-admin-role
AssumeRolePolicyDocument:
Version: '2017'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: ${self:service}-${self:provider.stage}-lambda-cognito-admin-policy
PolicyDocument:
Version: '2017'
Statement:
- Effect: Allow
Action:
- cognito-idp:ListUsersInGroup
- cognito-idp:ListUsers
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:cognito-idp'
- ${self:provider.region}
- Ref: 'AWS::AccountId'
- 'userpool/*'
这不是使用无服务器创建角色的正确方法吗?我正在按照无服务器文档显示的示例进行操作:https://serverless.com/framework/docs/providers/aws/guide/iam/
您的缩进不正确,Policies 属性属于 Properties,而不属于 AssumeRolePolicyDocument,您的文档中就是这种情况。
(取消整个 Policies 部分的缩进)
如 official documentation 中所述 Policies 属于 Properties 而不是 AssumeRolePolicyDocument
我正在学习如何使用无服务器框架,我正在创建一些特定功能将承担的角色,但 cloudformation 抛出错误指示:
An error occurred: LambdaAdminRole - Unknown field Policies (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 07cb3916-78c5-11e9-b0f6-37c9c6cd9547).
serverless中资源的定义方式是这样的:
resources:
Resources:
LambdaAdminRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:provider.stage}-lambda-admin-role
AssumeRolePolicyDocument:
Version: '2017'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: ${self:service}-${self:provider.stage}-lambda-cognito-admin-policy
PolicyDocument:
Version: '2017'
Statement:
- Effect: Allow
Action:
- cognito-idp:ListUsersInGroup
- cognito-idp:ListUsers
Resource:
- 'Fn::Join':
- ':'
- - 'arn:aws:cognito-idp'
- ${self:provider.region}
- Ref: 'AWS::AccountId'
- 'userpool/*'
这不是使用无服务器创建角色的正确方法吗?我正在按照无服务器文档显示的示例进行操作:https://serverless.com/framework/docs/providers/aws/guide/iam/
您的缩进不正确,Policies 属性属于 Properties,而不属于 AssumeRolePolicyDocument,您的文档中就是这种情况。
(取消整个 Policies 部分的缩进)
如 official documentation 中所述 Policies 属于 Properties 而不是 AssumeRolePolicyDocument