问题描述

我正在尝试使用Firehose交付流来设置Lambda转换.我为Firehose定义了一个IAM角色，其中包括以下策略文档:

I'm trying to set up Lambda transformations with a Firehose delivery stream. I have an IAM role defined for the Firehose which includes the following policy document:

{
    "Statement": {
        "Action": [
            "lambda:InvokeFunction",
            "lambda:GetFunctionConfiguration"
        ],
        "Resource": [<Arn>, ...],
        "Effect": "Allow"
    }
}

我还向sts:AssumeRole授予了Firehose对Lambda角色的访问权限.

I've also granted sts:AssumeRole access to the Lambda role from Firehose.

从理论上讲，这应授予我的Firehose调用"访问指定的lambda ARN的权限.但是转换失败了

This should theoretically grant my Firehose "Invoke" access to the specified lambda ARNs. But the transforms are failing with

{
  "errorCode":"Lambda.InvokeAccessDenied",
  "errorMessage":"Access was denied. Ensure that the access policy allows access to the Lambda function."
}

，并且从Lambda控制台看不到函数调用.我的IAM组件是否配置正确?还是这里出了什么问题?

and no function invocations are apparent from the Lambda console. Do I have my IAM components configured correctly? Or could something else be going wrong here?

推荐答案

在Firehose的ProcessingConfiguration中的其他地方，我提供了一个角色来执行没有足够权限的lambda.通过删除

Elsewhere in the ProcessingConfiguration for my Firehose, I had supplied a role to execute the lambda which did not have adequate permissions. By removing

- ParameterName: RoleArn
  ParameterValue:
    Fn::GetAtt: [<Role>, Arn]

从ProcessingConfiguration配置集中，lambda能够使用适当的角色/策略成功执行.

from the ProcessingConfiguration config set, the lambda was able to execute successfully using the appropriate role/policy.

这篇关于Lambda.InvokeAccess从Kinesis Firehose拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！