我的Lambda函数调用SSM时出现错误:


AccessDeniedException:用户:arn:aws:sts :: redacted:assumed-role / LambdaBackend_master_lambda / SpikeLambda无权执行:ssm:GetParameter on resource:arn:aws:ssm:eu-west-1:redacted:parameter / default /键/ API


但是,我很确定自己配置正确:

角色,具有用于Lambda的AssumeRole(尽管我们从错误消息中知道它可以工作)。

λ aws iam get-role --role-name LambdaBackend_master_lambda
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "lambda.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "redacted",
        "CreateDate": "2017-06-23T20:49:37Z",
        "RoleName": "LambdaBackend_master_lambda",
        "Path": "/",
        "Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda"
    }
}


我的政策:

λ aws iam list-role-policies --role-name LambdaBackend_master_lambda
{
    "PolicyNames": [
        "ssm_read"
    ]
}
λ aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read
{
    "RoleName": "LambdaBackend_master_lambda",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "ssm:DescribeParameters"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ssm:GetParameters"
                ],
                "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
                "Effect": "Allow"
            }
        ]
    },
    "PolicyName": "ssm_read"
}


我已经通过策略模拟器运行了它,看起来还不错!

amazon-web-services - 担任AWS Lambda角色,在SSM调用中拒绝访问-LMLPHP

最佳答案

今天就玩这个游戏了,得到了以下内容,在使用GetParameter动作时,将从ssm:GetParameters删除并使用ssm:GetParameter似乎可行。即AWS_PROFILE=pstore aws ssm get-parameter --name param_name。这让我有点恼火,因为我根本无法在iam操作文档here中找到它。但是,它似乎确实有效,并且ssm仍未得到充分记录。
亚马逊已经更新并移动了文档。新的docs包括ssm:GetParameters和ssm:GetParameter。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
            "Effect": "Allow"
        }
    ]
}

关于amazon-web-services - 担任AWS Lambda角色,在SSM调用中拒绝访问,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/44734572/

10-11 06:35