我打开这个问题是因为似乎没有有关此文件的文档,因此,我想在反复试验和浪费大量时间后提供答案。
作为背景,无服务器框架[允许从AWS SSM参数存储中加载纯文本和SecureString值]。 1
执行无服务器部署时,需要哪些权限才能访问和加载这些SSM参数存储值?
最佳答案
通常,访问和解密AWS SSM参数存储值需要以下3个权限:
ssm:DescribeParameters
ssm:GetParameters
kms:Decrypt
--
这是一个真实的示例,仅允许访问与我的lambda函数有关的SSM参数(通过遵循通用的命名约定/模式来区分)-它在以下情况下有效:
一个。
/${app-name-or-app-namespace}/serverless/${lambda-function-name/then/whatever/else/you/want
b。
${lambda-function-name}
必须以sls-
开头假设我有一个名为
myCoolApp
的应用程序和一个名为sls-myCoolLambdaFunction
的Lambda函数。也许我想保存数据库配置值,例如用户名和密码。我将创建两个SSM参数:
/myCoolApp/serverless/sls-myCoolLambdaFunction/dev/database/username
(明文)/myCoolApp/serverless/sls-myCoolLambdaFunction/dev/database/password
(SecureString){
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": [
"arn:aws:ssm:${region-or-wildcard}:${aws-account-id-or-wildcard}:*"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter"
],
"Resource": [
"arn:aws:ssm:${region-or-wildcard}:${aws-account-id-or-wildcard}:parameter/myCoolApp/serverless/sls-*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:*:${aws-account-id}:key/alias/aws/ssm"
]
}
]
}
然后在我的serverless.yml文件中,我可以将这两个SSM值作为函数级环境变量引用,如下所示
environment:
DATABASE_USERNAME: ${ssm:/myCoolApp/serverless/sls-myCoolLambdaFunction/dev/database/username}
DATABASE_PASSWORD: ${ssm:/myCoolApp/serverless/sls-myCoolLambdaFunction/dev/database/password~true}
或者,甚至更好的是,如果我想根据阶段具有不同的配置值的情况下超级动态,则可以像这样设置环境变量
environment:
DATABASE_USERNAME: ${ssm:/myCoolApp/serverless/sls-myCoolLambdaFunction/${self:provider.stage}/database/username}
DATABASE_PASSWORD: ${ssm:/myCoolApp/serverless/sls-myCoolLambdaFunction/${self:provider.stage}/database/password~true}
在上面的示例中,如果我有两个阶段-
dev
和prod
,也许我将创建以下SSM参数:/myCoolApp/serverless/sls-myCoolLambdaFunction/dev/database/username
(明文)/myCoolApp/serverless/sls-myCoolLambdaFunction/dev/database/password
(SecureString)/myCoolApp/serverless/sls-myCoolLambdaFunction/prod/database/username
(明文)/myCoolApp/serverless/sls-myCoolLambdaFunction/prod/database/password
(SecureString)