【发布时间】:2019-07-12 17:16:57
【问题描述】:
我想在 AWS API Gateway 中实现一个 GET 方法,该方法从 AWS SQS 返回消息。当我测试它时,我得到一个异常:
<AccessDeniedException>
<Message>Unable to determine service/operation name to be authorized</Message>
</AccessDeniedException>
我在无服务器 yml 文件中定义了所有堆栈:
functions:
listExportJob:
handler: src/listExportJob.handler
role: listExportJobIAM
environment:
processingqueueUrl: https://xxxxx/processing-exports-queue-eu-local
events:
- processingsqs:
arn: arn:aws:sqs:xxxxx:processing-exports-queue-eu-local
events:
- sqs:ChangeMessageVisibility
- sqs:ChangeMessageVisibilityBatch
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
resources:
Resources:
processingSQSQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: processing-exports-queue-eu-local
ApiGatewayRestApi:
Type: AWS::ApiGateway::RestApi
Properties:
Name: ApiGateway
listExportAPIResource:
Type: "AWS::ApiGateway::Resource"
Properties:
ParentId:
Fn::GetAtt:
- "ApiGatewayRestApi"
- "RootResourceId"
PathPart: "listExport"
RestApiId:
Ref: ApiGatewayRestApi
listExportAPIMethod:
Type: AWS::ApiGateway::Method
DependsOn: processingSQSQueue
Properties:
RestApiId:
Ref: ApiGatewayRestApi
ResourceId:
Ref: listExportAPIResource
HttpMethod: "GET"
MethodResponses:
- StatusCode: "200"
ResponseParameters:
"method.response.header.Access-Control-Allow-Origin": true
AuthorizationType: "NONE"
Integration:
Type: AWS
Credentials:
Fn::GetAtt: [ "APIGatewaySQSIAM", "Arn" ]
IntegrationHttpMethod: POST
IntegrationResponses:
- StatusCode: "200"
ResponseParameters:
"method.response.header.Access-Control-Allow-Origin": "'*'"
ResponseTemplates:
"application/json": ""
Uri: arn:aws:apigateway:xxxxx/processing-exports-queue-eu-local
APIGatewaySQSIAM:
Type: AWS::IAM::Role
Properties:
Path: /app/all/
RoleName: APIGSQSRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- apigateway.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: APIGATEWAYIAMAll
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: "*"
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
- Effect: Allow
Resource:
- "*"
Action:
- "sqs:SendMessage"
listExportJobIAM:
Type: AWS::IAM::Role
Properties:
RoleName: listExportJobRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: listExportJobIAMAll
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:PutLogEvents
- logs:CreateLogGroup
Resource: '*'
- Effect: Allow
Action:
- sqs:ChangeMessageVisibility
- sqs:ChangeMessageVisibilityBatch
- sqs:GetQueueAttributes
- sqs:ReceiveMessage
Resource: arn:aws:sqs:xxxxx:processing-exports-queue-eu-local
- Effect: Allow
Action:
- lambda:InvokeFunction
Resource: '*'
我已经用 IntegrationHttpMethod POST 定义了 GET 方法,但我看不出我的实现有什么问题。
AWS API Gateway 有另一种方法,可以将消息直接发布到 AWS SQS 并正常工作。
【问题讨论】:
-
这通常发生在
APIGateway没有调用指定服务的权限时。我找不到您的APIGateway角色的定义 - APIGatewaySQSIAM。是我看起来不正确还是 yaml 中缺少它? -
感谢您的及时答复。我编辑了 yaml 文件并添加了 API Gateway 角色。
标签: amazon-web-services aws-lambda aws-api-gateway serverless-framework