问题描述
如何在AWS CodeStar项目的CloudFormation模板中更改Lambda函数的IAM角色?
How can I change the IAM Role for a Lambda function in an CloudFormation template of an AWS CodeStar project?
我已经创建了一个AWS CodeStar项目(Web服务,基于Lambda,Node.js)。默认情况下,AWS CodeStar生成以下CloudFormation:
I have created a AWS CodeStar project (web service, Lambda based, Node.js). By default, AWS CodeStar generates the following CloudFormation:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role:
Fn::ImportValue:
!Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
Events:
GetEvent:
Type: Api
Properties:
Path: /
Method: get
PostEvent:
Type: Api
Properties:
Path: /
Method: post
现在,我想替换一下角色是我自己的角色,因为我需要为Lambda函数添加策略以访问其他AWS资源。同时,我还删除了API网关,因为我将添加一个调度程序以稍后触发Lambda调用:
Now, I would like to replace this role with a role of my own, because I need to add policies for the Lambda function to access other AWS resources. At the same time I have also removed the API Gateway, because I will add a scheduler to trigger the Lambda invocations later:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role: !Ref HelloWorldLambdaRole
HelloWorldLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
但是,当我提交并推送这些更改时,AWS CodePipeline无法更新CloudFormation模板:
However, when I commit and push these changes, AWS CodePipeline fails to update the CloudFormation template:
CREATE_FAILED AWS::IAM::Role EchoLambdaRole API: iam:CreateRole User: arn:aws:sts::[accountId]:assumed-role/CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::[accountId]:role/awscodestar-[projectId]-lambda-HelloWorldLambdaRole-ABCDEF123456
基于此反馈,我得出结论,没有授权 CodeStarWorker- [projectId] -CloudFormation / AWSCloudFormation 角色创建IAM角色。但是,该角色在我的CloudFormation模板中是隐藏的,据我了解,它是CodeStar自动设置的。作为AWS账户管理员,我可以简单地编辑相关策略,但是恕我直言,这不是解决此问题的方法。
Based on this feedback, I conclude that CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation role is not authorized to create IAM roles. However, this role is hidden from my CloudFormation template and to my understanding it is something that is setup by CodeStar automatically. As an AWS account admin, I could simply just edit the associated policy, but IMHO this is not the way to solve this problem.
修改:
我已经检查了帐户中的IAM配置。 已创建,并与 AWSCodeStarServiceRole 策略相关联,该策略具有以下语句(在其他语句中,请参阅链接以获取详细信息):
I have checked IAM configuration in my account. An aws-codestar-service-role has been created and it is associated with the AWSCodeStarServiceRole policy that has the following statement (among other statements, see link for details):
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
也有 CodeStarWorker- [projectId] -CloudFormation 角色,该角色具有名为 CodeStarWorkerCloudFormationRolePolicy 的内联策略,具有以下配置:
There is also the CodeStarWorker-[projectId]-CloudFormation role, that has an inline policy named CodeStarWorkerCloudFormationRolePolicy with the following configuration:
{
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws-chargeodestar-eu-west-1-[accountId]-[projectId]-pipeline",
"arn:aws:s3:::aws-codestar-eu-west-1-[accountId]-[projectId]-pipeline/*"
],
"Effect": "Allow"
},
{
"Action": [
"codestar:SyncResources",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:AddPermission",
"lambda:UpdateFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:RemovePermission",
"apigateway:*",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::[accountId]:role/CodeStarWorker-[projectId]-Lambda"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": [
"arn:aws:cloudformation:eu-west-1:aws:transform/Serverless-2016-10-31",
"arn:aws:cloudformation:eu-west-1:aws:transform/CodeStar"
],
"Effect": "Allow"
}
]
}
自创建项目以来, CodeStar_ [projectId] _Owner 政策已直接附加到我的用户上。
Since I have created the project, the CodeStar_[projectId]_Owner policy has been directly attached to my user.
Edit 2:
尽管我有自己的建议,但我还是尝试更新内联的 CodeStarWorkerCloudFormationRolePolicy CodeStarWorker- [projectId] -CloudFormation 角色,方法是添加以下策略语句:
Despite my own recommendation, I attempted to update the inlined CodeStarWorkerCloudFormationRolePolicy of the CodeStarWorker-[projectId]-CloudFormation role by adding the following policy statement:
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::699602212296:role/awscodestar-[projectId]-*"
],
"Effect": "Allow"
}
但是,这在CloudFormation中引起了以下错误:
However, this caused the following error in CloudFormation:
CREATE_FAILED AWS::CodeStar::SyncResources SyncResources123456789012 com.amazon.coral.service.InternalFailure
推荐答案
CodeStar服务使用称为aws-codestar-service-role,带有以下语句。如果该服务角色允许项目的动态工作人员角色继承IAM角色创建操作,则可能需要修改此服务角色。否则CodeStar可能会覆盖您的更改。
The CodeStar Service uses a service role called aws-codestar-service-role, with the following statement. You may want to amend this service role if it allows the dynamic worker roles for the project to inherit the IAM role creation action. Otherwise CodeStar could overwrite your changes.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ProjectStack",
"Effect": "Allow",
"Action": [
"cloudformation:*Stack*",
"cloudformation:GetTemplate"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/awscodestar-*",
"arn:aws:cloudformation:*:*:stack/awseb-*"
]
},
{
"Sid": "ProjectStackTemplate",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeChangeSet"
],
"Resource": "*"
},
{
"Sid": "ProjectQuickstarts",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::awscodestar-*/*"
]
},
{
"Sid": "ProjectS3Buckets",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::aws-codestar-*",
"arn:aws:s3:::aws-codestar-*/*",
"arn:aws:s3:::elasticbeanstalk-*",
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Sid": "ProjectServices",
"Effect": "Allow",
"Action": [
"codestar:*Project",
"codestar:*Resource*",
"codestar:List*",
"codestar:Describe*",
"codestar:Get*",
"codestar:AssociateTeamMember",
"codecommit:*",
"codepipeline:*",
"codedeploy:*",
"codebuild:*",
"ec2:RunInstances",
"autoscaling:*",
"cloudwatch:Put*",
"ec2:*",
"elasticbeanstalk:*",
"elasticloadbalancing:*",
"iam:ListRoles",
"logs:*",
"sns:*"
],
"Resource": "*"
},
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
{
"Sid": "ProjectTeamMembers",
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:DetachUserPolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::*:policy/CodeStar_*"
]
}
}
},
{
"Sid": "ProjectRoles",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions"
],
"Resource": [
"arn:aws:iam::*:policy/CodeStar_*"
]
},
{
"Sid": "InspectServiceRole",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/aws-codestar-service-role"
]
}
]
}
另请参见 http://docs.aws.amazon.com/codestar/latest/userguide/access-permissions.html 但您可能已经猜到了,它是相对较新的文档,文档并未涵盖您的用例。
Also see http://docs.aws.amazon.com/codestar/latest/userguide/access-permissions.html but as you may have guessed, it's relatively new and the docs don't cover your use case.
这篇关于在CodeStar项目的CloudFormation模板中更改Lambda的IAM角色?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!