部署无服务器应用程序时策略格式错误
Policy malformed when deploying serverless application
我有一个使用无服务器框架创建的 lambda 函数,在将其部署到开发环境时 运行 出现错误。问题似乎与 IAM 相关,而不是 perissions 问题,因为 AWS 说这是一个格式错误的政策。我包含了在 cloudformation 控制台中看到的错误消息以及整个 serverless.yml 文件。希望有人可以帮助我修复它,我让它在另一个帐户上工作,尽管已经进行了内存限制和为 iam 策略指定资源等更改。应该补充一点,我已经确认 iam 部分中引用的 sqs 队列确实存在,并且我已经尝试了没有 opt:accID 部分的确切 arn。
错误信息
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
Serverless.yaml 文件
provider:
name: aws
runtime: nodejs10.x
region: us-east-1
vpc:
securityGroupIds:
- ${ssm:/${opt:stage}/securityGroupIds}
subnetIds:
- ${ssm:/${opt:stage}/subnetIds}
iamRoleStatements:
- Effect: 'Allow'
Resource: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
Action:
- 'sqs:*'
environment:
tsQueue: https://sqs.us-east-1.amazonaws.com/${opt:accID}/influxdb_perf_mon
functions:
perf:
handler: handler.perf
memorySize: 128 # in MB
events:
- sqs:
arn: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
batchSize: 1
S3 中的 Cloudformation
"IamRoleLambdaExecution": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"-",
[
"timeseries-lambda",
"dev",
"lambda"
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/timeseries-lambda-dev*:*"
}
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/timeseries-lambda-dev*:*:*"
}
]
},
{
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-1:100525853236:influxdb_perf_mon",
"Action": [
"sqs:*"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon"
]
}
]
}
}
],
"Path": "/",
"RoleName": {
"Fn::Join": [
"-",
[
"timeseries-lambda",
"dev",
{
"Ref": "AWS::Region"
},
"lambdaRole"
]
]
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
}
]
}
},
为您列出的 IAM 权限定义资源的行有一个小错字,缺少 $:
Resource: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
应该是
Resource: arn:aws:sqs:us-east-1:${opt:accID}:influxdb_perf_mon
这可能会解决您的问题
我重新部署你在我的沙盒帐户中的角色。我发现问题来自:
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon"
]
}
具体来说,来自 {opt:accID}。将资源更改为(真实帐号)解决了我验证中的问题:
"arn:aws:sqs:us-east-1:324124214:influxdb_perf_mon"
那么问题来了,这个政策是从哪里来的?它没有列在您的 Serverless.yaml 中提供的问题中?您确定这是您最近使用的Serverless.yaml吗?
我有一个使用无服务器框架创建的 lambda 函数,在将其部署到开发环境时 运行 出现错误。问题似乎与 IAM 相关,而不是 perissions 问题,因为 AWS 说这是一个格式错误的政策。我包含了在 cloudformation 控制台中看到的错误消息以及整个 serverless.yml 文件。希望有人可以帮助我修复它,我让它在另一个帐户上工作,尽管已经进行了内存限制和为 iam 策略指定资源等更改。应该补充一点,我已经确认 iam 部分中引用的 sqs 队列确实存在,并且我已经尝试了没有 opt:accID 部分的确切 arn。
错误信息
The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
Serverless.yaml 文件
provider:
name: aws
runtime: nodejs10.x
region: us-east-1
vpc:
securityGroupIds:
- ${ssm:/${opt:stage}/securityGroupIds}
subnetIds:
- ${ssm:/${opt:stage}/subnetIds}
iamRoleStatements:
- Effect: 'Allow'
Resource: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
Action:
- 'sqs:*'
environment:
tsQueue: https://sqs.us-east-1.amazonaws.com/${opt:accID}/influxdb_perf_mon
functions:
perf:
handler: handler.perf
memorySize: 128 # in MB
events:
- sqs:
arn: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
batchSize: 1
S3 中的 Cloudformation
"IamRoleLambdaExecution": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Policies": [
{
"PolicyName": {
"Fn::Join": [
"-",
[
"timeseries-lambda",
"dev",
"lambda"
]
]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/timeseries-lambda-dev*:*"
}
]
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/timeseries-lambda-dev*:*:*"
}
]
},
{
"Effect": "Allow",
"Resource": "arn:aws:sqs:us-east-1:100525853236:influxdb_perf_mon",
"Action": [
"sqs:*"
]
},
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon"
]
}
]
}
}
],
"Path": "/",
"RoleName": {
"Fn::Join": [
"-",
[
"timeseries-lambda",
"dev",
{
"Ref": "AWS::Region"
},
"lambdaRole"
]
]
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
]
]
}
]
}
},
为您列出的 IAM 权限定义资源的行有一个小错字,缺少 $:
Resource: arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon
应该是
Resource: arn:aws:sqs:us-east-1:${opt:accID}:influxdb_perf_mon
这可能会解决您的问题
我重新部署你在我的沙盒帐户中的角色。我发现问题来自:
{
"Effect": "Allow",
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:{opt:accID}:influxdb_perf_mon"
]
}
具体来说,来自 {opt:accID}。将资源更改为(真实帐号)解决了我验证中的问题:
"arn:aws:sqs:us-east-1:324124214:influxdb_perf_mon"
那么问题来了,这个政策是从哪里来的?它没有列在您的 Serverless.yaml 中提供的问题中?您确定这是您最近使用的Serverless.yaml吗?