我的Lambda函数调用SSM时出现错误:
AccessDeniedException:用户:arn:aws:sts :: redacted:assumed-role / LambdaBackend_master_lambda / SpikeLambda无权执行:ssm:GetParameter on resource:arn:aws:ssm:eu-west-1:redacted:parameter / default /键/ API
但是,我很确定自己配置正确:
角色,具有用于Lambda的AssumeRole(尽管我们从错误消息中知道它可以工作)。
λ aws iam get-role --role-name LambdaBackend_master_lambda
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
},
"RoleId": "redacted",
"CreateDate": "2017-06-23T20:49:37Z",
"RoleName": "LambdaBackend_master_lambda",
"Path": "/",
"Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda"
}
}
我的政策:
λ aws iam list-role-policies --role-name LambdaBackend_master_lambda
{
"PolicyNames": [
"ssm_read"
]
}
λ aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read
{
"RoleName": "LambdaBackend_master_lambda",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
"Effect": "Allow"
}
]
},
"PolicyName": "ssm_read"
}
我已经通过策略模拟器运行了它,看起来还不错!
最佳答案
今天就玩这个游戏了,得到了以下内容,在使用GetParameter动作时,将从ssm:GetParameters
删除并使用ssm:GetParameter
似乎可行。即AWS_PROFILE=pstore aws ssm get-parameter --name param_name
。这让我有点恼火,因为我根本无法在iam操作文档here中找到它。但是,它似乎确实有效,并且ssm仍未得到充分记录。
亚马逊已经更新并移动了文档。新的docs包括ssm:GetParameters和ssm:GetParameter。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
"Effect": "Allow"
}
]
}
关于amazon-web-services - 担任AWS Lambda角色,在SSM调用中拒绝访问,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/44734572/