sls 为 lambda 部署多个 IAM 角色,它承担了错误的角色并缺少权限

sls deploying multiple IAM roles for lambda, which assumes wrong role with missing permissions

我目前是 运行 一个具有 2 个 lambda 函数的 sls 项目。一个将项目推送到发电机,另一个在项目被推送到发电机(流)时触发。 "Process lambda" -> DDB -> "Build lambda".

在使用 sls 进行本地测试时,所有 PutItem 调用都有效。 sls deploy 并在 aws 上进行实时测试时,我遇到访问被拒绝的问题:

assumed-role/app-client-onboarder-dev-us-east-2-lambdaRole/app-client-onboarder-dev-app_new_client_process is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-2:123456789:table/dev-app-clients

当我查看 IAM 时,此部署有 2 个角色(我认为只有 1 个)

  1. arn:aws:iam::123456789:role/AppClient-dev-BuildProcessLambdaExecutionRole
  2. arn:aws:iam::123456789:role/app-client-onboarder-dev-us-east-2-lambdaRole

上面假设的角色好像是assumed-role/role 1./role 2.

我缺少什么 w/r/t 新角色和 sls 策略,让已部署的 lambda 承担定义的角色?这第二个'deployment'级角色从何而来?

下面是 serverless.yml 的摘录。

service: app-client-onboarder


provider:
  name: aws
  runtime: nodejs12.x
  region: us-east-2
  stage: dev

functions:
  app_new_client_process:
    handler: lambda/handler.app_new_client_process
    tracing: true
    environment:
      DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
      DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}

  app_new_client_build_resources:
    handler: lambda/handler.app_new_client_build_resources
    tracing: true
    events:
      - stream: ${self:custom.client-table-updates.${self:provider.stage}}
    environment:
      DynamoClientTableName: ${self:custom.client-table-name.${self:provider.stage}}
      DynamoDataTableNamePrefix: ${self:custom.client-data-table-name-prefix.${self:provider.stage}}


resources:
  Resources: 
    appClientBuildProcessLambdaExecutionRole:
      Type: AWS::IAM::Role
      Properties:
        RoleName: appClient-${self:provider.stage}-BuildProcessLambdaExecutionRole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        Policies:
        - PolicyName: appClientDynamoDBIamPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "dynamodb:DescribeTable"
                  - "dynamodb:GetItem"
                  - "dynamodb:PutItem"
                  - "dynamodb:DescribeStream"
                  - "dynamodb:ListStreams"
                  - "dynamodb:ListTables"
                Resource: "arn:aws:dynamodb:*:146449424444:table/*app-client*"
        - PolicyName: appLogsIamPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "logs:CreateLogGroup"
                  - "logs:CreateLogStream"
                  - "logs:PutLogEvents"
                Resource: "arn:aws:logs:*:146449424444:*"
        - PolicyName: appXrayTracingPolicy
          PolicyDocument: 
            Version: '2012-10-17'
            Statement:
              - Effect: "Allow"
                Action:
                  - "xray:PutTraceSegments"
                  - "xray:PutTelemetryRecords"
                Resource: "*"

plugins: 
  - serverless-plugin-tracing

您需要在 provider -> iamRoleStatements 下为您的无服务器项目定义权限为:

provider:

  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "dynamodb:Query" 
        - "dynamodb:PutItem"
        - "dynamodb:UpdateItem"
      Resource: YOUR_DYNAMODB_ARN

将资源中定义的角色名称设置到适当的范围。

provider 级别:

provider:
  name: aws
  runtime: nodejs12.x
  region: us-east-2
  stage: dev
  role: AppExRole

function 级别,如果每个函数具有不同的权限集

functions
  f1:
    role: AppExRole
  f2:
    role: AppExRole2