我在我的lambda函数,它调用SSM得到一个错误:假定角色,访问被拒绝对SSM呼叫
AccessDeniedException异常:用户:阿尔恩:AWS:STS ::节录:assumed-角色/ LambdaBackend_master_lambda/SpikeLambda无权执行:SSM:的getParameter资源:阿尔恩:AWS:SSM:欧盟 - 西1:节录:参数/默认/按键/ API
不过,我敢当然我正确地配置了这个:
角色,与AssumeRole for Lambda(althou我们知道这个错误信息是有效的)。
λ aws iam get-role --role-name LambdaBackend_master_lambda
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
]
},
"RoleId": "redacted",
"CreateDate": "2017-06-23T20:49:37Z",
"RoleName": "LambdaBackend_master_lambda",
"Path": "/",
"Arn": "arn:aws:iam::redacted:role/LambdaBackend_master_lambda"
}
}
而我的政策:
λ aws iam list-role-policies --role-name LambdaBackend_master_lambda
{
"PolicyNames": [
"ssm_read"
]
}
λ aws iam get-role-policy --role-name LambdaBackend_master_lambda --policy-name ssm_read
{
"RoleName": "LambdaBackend_master_lambda",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-1:redacted:parameter/*",
"Effect": "Allow"
}
]
},
"PolicyName": "ssm_read"
}
我已经通过了政策模拟器上运行它,它似乎要被罚款!
看起来像ssm:GetParameters验证中的错误。当我使用'boto3.client('ssm')。get_parameter()'时,lambda权限按预期工作,但当使用'boto3.client('ssm')。get_parameters()'时,我得到了你提到的权限错误。 – skeller88