【发布时间】:2017-11-12 23:26:39
【问题描述】:
我创建了一个 AWS Lambda 函数,它应该将 InstanceDBSnapshots 从一个区域复制到另一个区域。
以下政策附加到该角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1510479591000",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBSecurityGroup",
"rds:CreateDBSnapshot",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBInstance",
"rds:DeleteDBSecurityGroup",
"rds:DeleteDBSnapshot",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:ModifyDBInstance",
"rds:ModifyDBSubnetGroup",
"rds:RestoreDBInstanceFromDBSnapshot"
],
"Resource": [
"arn:aws:rds:*"
]
}
]
}
还有一个名为“AWSLambdaBasicExecutionRole”的亚马逊政策。
当我运行该函数时,我收到以下错误:
开始请求 ID:c5f62f26-c7b6-11e7-8fd4-c9b54c37d712 版本:$LATEST 调用 DescribeDBSnapshots 时发生错误 (AccessDenied) 操作: 用户: arn:aws:sts::ACCOUNT:assumed-role/cc/Cross-Copy-DB-Snapshots 不是 授权执行:rds:DescribeDBSnapshots:ClientError
我不明白“arn:aws:sts”是什么以及如何让这个函数正常运行。
有谁知道这个问题以及如何解决它?
【问题讨论】:
-
应该
"Resource": [ "arn:aws:rds:*" ]实际上是"Resource": [ "arn:aws:rds::*" ]吗?
标签: python-2.7 aws-lambda