SAM模板中的IAM角色

本文介绍了SAM模板中的IAM角色的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

如何像在SAM程序包中一样在SAM模板中创建IAM角色.我尝试如下:

How to create an IAM role inside a SAM template likewise I did in SAM package.I tried this as following:

"lambdaFunctionRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "lambda.amazonaws.com",
                  "apigateway.amazonaws.com"
                ]
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "ManagedPolicyArns": [
          {
            "Ref": "lambdaBasePolicy"
          }
        ],
        "Policies": [
          {
            "PolicyName": "root",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents"
                  ],
                  "Resource": "arn:aws:logs:*:*:*"
                },
                {
                  "Effect": "Allow",
                  "Action": [
                    "s3:*",
                    "dynamodb:*",
                    "iam:ListRoles",
                    "ses:*",
                    "events:*"
                  ],
                  "Resource": "*"
                }
              ]
            }
          }
        ]
      }
    }

它抛出一个错误:com.amazonaws.serverlessappsrepo.template.InvalidTemplateException:名称为[lambdaFunctionRole]的资源无效. AWS :: Serverless :: Role不是受支持的Serverless Apps存储库类型.

It throws me an error : com.amazonaws.serverlessappsrepo.template.InvalidTemplateException: Resource with name [lambdaFunctionRole] is invalid. AWS::Serverless::Role is not a supported Serverless Apps Repository Type.

推荐答案

发布到无服务器应用程序仓库时，您需要注意仅使用您的SAM模板中支持的资源.

When publishing to the Serverless app repo, you need to take care to use only the supported resources in you SAM template.

对于您而言，您可以跳过将lambdaFunctionRole创建为独立资源，而直接在函数资源定义中内联创建.

In your case, you can skip creating the lambdaFunctionRole as a standalone resource and just create it inline in your function resource definition.

"lambdaFunction": {
  "Type": "AWS::Serverless::Function",
  "Policies": [
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:*:*:*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:*",
            "dynamodb:*",
            "iam:ListRoles",
            "ses:*",
            "events:*"
          ],
          "Resource": "*"
        }
      ]
    }
  ]
}

请注意，我只复制了角色中策略"的PolicyDocument部分.请参阅 SAM规范中的策略"部分.

Notice that I've only copied the PolicyDocument part of the Policies in the Role. See the Policies section in the SAM spec.

这篇关于SAM模板中的IAM角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！