【发布时间】:2019-10-30 06:49:42
【问题描述】:
我是 AWS SAM 模板的新手,希望能够使用一系列策略创建角色,然后为 Lambda 函数引用该角色。但是,我在尝试部署时收到以下错误:
“角色”中的值“MyRole”未能满足约束:成员必须 满足正则表达式模式: arn:(aws[a-zA-Z-]*)?:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@-_/]+
这个答案提到我可以将策略直接添加到函数中,但我会有很多需要相同策略的函数,所以这不是一个非常干燥的方法 IAM role inside SAM template
是我不能在新创建的角色上使用!GetAtt 的问题吗?
这就是我的template.yml 的样子:
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
OMW Backend Services
Globals:
Function:
Timeout: 3
Resources:
MyRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonRDSFullAccess'
- 'arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
PolicyName: 'ParameterStoreDevParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'ssm:GetParameter*'
Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/dev/*'
-
PolicyName: 'ParameterStoreDevLambdaBasicExecution'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
-
PolicyName: 'ParameterStoreDevXRayAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: Allow
Action:
- 'xray:PutTraceSegments'
- 'xray:PutTelemetryRecords'
Resource: '*'
MyFunction:
Type: AWS::Serverless::Function
Tracing: Active
CodeUri: functions/src/
Handler: lookup.lambdaHandler
Runtime: nodejs10.x
Timeout: 10
MemorySize: 256
Role: !GetAtt MyRole.Arn
Events:
Lookup:
Type: Api
Properties:
Path: /somePath/{id}
Method: get
【问题讨论】:
标签: aws-lambda amazon-cloudformation aws-sam