我在我的lambda函數,它調用SSM得到一個錯誤:假定角色,訪問被拒絕對SSM呼叫
AccessDeniedException異常:用戶:阿爾恩:AWS:STS ::節錄:assumed-角色/ LambdaBackend_master_lambda/SpikeLambda無權執行:SSM:的getParameter資源:阿爾恩:AWS:SSM:歐盟 - 西1:節錄:參數/默認/按鍵/ API
不過,我敢當然我正確地配置了這個:
角色,與AssumeRole for Lambda(althou我們知道這個錯誤信息是有效的)。
λ aws iam get-role --role-name LambdaBackend_master_lambda
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
},
"RoleId": "redacted",
"CreateDate": "2017-06-23T20:49:37Z",
"RoleName": "LambdaBackend_master_lambda",
"Path": "/",
"Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda"
}
}
而我的政策:
λ aws iam list-role-policies --role-name LambdaBackend_master_lambda
{
"PolicyNames": [
"ssm_read"
]
}
λ aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read
{
"RoleName": "LambdaBackend_master_lambda",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
"Effect": "Allow"
}
]
},
"PolicyName": "ssm_read"
}
我已經通過了政策模擬器上運行它,它似乎要被罰款!
看起來像ssm:GetParameters驗證中的錯誤。當我使用'boto3.client('ssm')。get_parameter()'時,lambda權限按預期工作,但當使用'boto3.client('ssm')。get_parameters()'時,我得到了你提到的權限錯誤。 – skeller88