在现有的S3桶上使用无服务器框架的事件触发器
在现有的S3桶上使用无服务器框架的事件触发器
提问于 2022-07-10 00:53:51
当在S3桶中创建对象时,我试图设置一个lambda来触发。
我的serverless.yml包括以下内容:
handleNewRawObjectInS3:
handler: lambdas/handleNewRawObjectInS3/handleNewRawObjectInS3.handleS3Event
events:
- s3:
bucket: ${file(../evn.${opt:stage, 'dev'}.json):RAW_IMAGE_BUCKET}
event: s3:ObjectCreated:*这将导致一个错误:
Error:
CREATE_FAILED: S3Bucketxxxxxxxxxrawimages (AWS::S3::Bucket)
xxxxxxxxx-raw-images already exists in stack arn:aws:cloudformation:us-east-1:xxxx:stack/s3-xxxxxxxxx-raw-images/310e7010-xxx-xxx-xxxx-12f066874c93我已经创建了存储桶--通过直接上传cloudformation模板创建的(我们的AWS公司版本不允许我们使用无服务器框架来创建桶)。How to add S3 trigger event on AWS Lambda function using Serverless framework?表示这在旧版本的无服务器状态下是不可能的,但是在兔子洞之后,您可以看到一个特性请求.然后是一个答案,说明你需要添加“现有的:真”。
因此,我将其添加到无服务器框架设置中:
service: my-service-events
provider:
name: aws
runtime: nodejs14.x
region: ${file(../evn.${opt:stage, 'dev'}.json):REGION}
stage: ${opt:stage, 'dev'}
deploymentBucket: #must name manually-created bucket for deployment because enterprise doesn't allow automated bucket creation
name: ${file(../evn.${opt:stage, 'dev'}.json):DEPLOYMENT_BUCKET}
iam: #must name a role because enterprise doesn't allow automated role creation
role: myServerlessRole # This is a reference to the resource name from the role created in the resources -> iam roles section
deploymentRole: ${file(../evn.${opt:stage, 'dev'}.json):DEPLOYMENT_ROLE}
resources:
- ${file(../iam-roles.${opt:stage, 'dev'}.yml)}
functions:
handleNewRawObjectInS3:
handler: lambdas/handleNewRawObjectInS3/handleNewRawObjectInS3.handleS3Event
events:
- s3:
bucket: ${file(../evn.${opt:stage, 'dev'}.json):RAW_IMAGE_BUCKET}
event: s3:ObjectCreated:*
existing: true上面引用的IAM文件/角色如下所示:
Resources:
myServerlessRole:
Type: AWS::IAM::Role
Properties:
PermissionsBoundary: arn:aws:iam::xxx:policy/csr-Developer-Permissions-Boundary
Path: /my/default/path/
RoleName: myServerlessRole-${self:service}
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
Policies:
- PolicyName: myPolicyName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource:
- 'Fn::Join':
- ':'
-
- 'arn:aws:logs'
- Ref: 'AWS::Region'
- Ref: 'AWS::AccountId'
- 'log-group:/aws/lambda/*:*:*'
- Effect: "Allow"
Action:
- "s3:*"
Resource: "arn:aws:s3:::*" #
- Effect: "Allow"
Action:
- "lambda:*"
Resource: "*"
- Effect: "Allow"
Action:
- cloudfront:CreateDistribution
- cloudfront:GetDistribution
- cloudfront:UpdateDistribution
- cloudfront:DeleteDistribution
- cloudfront:TagResource
Resource: "arn:aws:cloudfront:::*" 试图部署它会给我带来错误:
Error:
CREATE_FAILED: CustomDashresourceDashexistingDashs3LambdaFunction (AWS::Lambda::Function)
Resource handler returned message: "The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, Request ID: 812c5384-1c26-42c9-bdef-1ce4a59f2be4)" (RequestToken: 9cdbb5af-3bc7-d6bf-384b-5126d1048ccd, HandlerErrorCode: InvalidRequest)如何部署由s3事件触发的这个lambda?
回答 1
Stack Overflow用户
回答已采纳
发布于 2022-07-22 13:54:29
问题来自这样一个事实: CustomDashresourceDashexistingDashs3LambdaFunction lambda作为deployementRole运行,而不是在定义的role下运行(这是lambdas运行的默认角色)。由于部署角色通常不需要assumeRole,所以我的部署角色没有assumeRole权限。
解决这一问题的方法是确保sts:assumeRole信任关系已经应用于deploymentRole,如下所示:
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/72925522
复制相关文章
相似问题
腾讯云开发者
