在CodeStar项目的CloudFormation模板中更改Lambda的IAM角色?
如何在AWS CodeStar项目的CloudFormation模板中更改Lambda函数的IAM角色?
我创建了一个AWS CodeStar项目(web服务,基于Lambda,Node.js)。默认情况下,AWS CodeStar生成以下云信息:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role:
Fn::ImportValue:
!Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
Events:
GetEvent:
Type: Api
Properties:
Path: /
Method: get
PostEvent:
Type: Api
Properties:
Path: /
Method: post
现在,我想用自己的角色替换这个角色,因为我需要为Lambda函数添加策略以访问其他AWS资源。同时,我还删除了API网关,因为我将添加一个调度器,以便稍后触发Lambda调用:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role: !Ref HelloWorldLambdaRole
HelloWorldLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
但是,当我提交并推动这些更改时,AWS CodePipeline无法更新CloudFormation模板:
CREATE_FAILED AWS::IAM::Role EchoLambdaRole API: iam:CreateRole User: arn:aws:sts::[accountId]:assumed-role/CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::[accountId]:role/awscodestar-[projectId]-lambda-HelloWorldLambdaRole-ABCDEF123456
基于此反馈,我认为CodeStarWorker-[projectd]-CloudFormation/AWSCloudFormation角色无权创建IAM角色。然而,这个角色在我的CloudFormation模板中是隐藏的,据我所知,它是由CodeStar自动设置的。作为一名AWS帐户管理员,我可以简单地编辑相关的策略,但这不是解决此问题的方法。
编辑:
我已经在我的帐户中检查了IAM配置。已经创建了一个aws-codesar-service-角色,它与具有以下语句的AWSCodeStarServiceRole策略相关联(除其他语句外,请参阅链接以获取详细信息):
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
还有CodeStarWorker-[projectd]-CloudFormation角色,它有一个名为CodeStarWorkerCloudFormationRolePolicy的内联策略,配置如下:
{
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws-chargeodestar-eu-west-1-[accountId]-[projectId]-pipeline",
"arn:aws:s3:::aws-codestar-eu-west-1-[accountId]-[projectId]-pipeline/*"
],
"Effect": "Allow"
},
{
"Action": [
"codestar:SyncResources",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:AddPermission",
"lambda:UpdateFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:RemovePermission",
"apigateway:*",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::[accountId]:role/CodeStarWorker-[projectId]-Lambda"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": [
"arn:aws:cloudformation:eu-west-1:aws:transform/Serverless-2016-10-31",
"arn:aws:cloudformation:eu-west-1:aws:transform/CodeStar"
],
"Effect": "Allow"
}
]
}
自从我创建了这个项目以来,CodeStar\uu[projectd]\u所有者策略已经直接附加到我的用户。
编辑2:
尽管我自己的建议,我试图更新内联的CodeStarWorkerCloudFormationRoleStrategy的CodeStarWorker-[project ectId]-CloudForm角色通过添加以下策略语句:
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::699602212296:role/awscodestar-[projectId]-*"
],
"Effect": "Allow"
}
然而,这在CloudForm中导致了以下错误:
CREATE_FAILED AWS::CodeStar::SyncResources SyncResources123456789012 com.amazon.coral.service.InternalFailure
共有2个答案
我相信答案是CodeStar似乎与它在不同情况下创建角色时使用的命名约定不一致。如果在创建角色时提供前缀为CodeStar-[projectId]*的名称,则这将满足CodeStarWorker-[projectId]-CloudFormation角色的IAM策略。i、 e.包括“RoleName:!”!Sub'CodeStar-${ProjectId}-。
进一步信息当我遇到同样的错误时,我还打算更新IAM策略,然后注意到CodeStarWorker-[projectId]-CloudFormation角色的IAM策略中的权限边界。将错误中的角色与现有角色进行比较:
错误中的角色:awscodestar-[project ectId]-lambda-HelloWorldLambdaRole-ABCDEF123456。
代码之星创建的角色示例代码:CodeStar-[projectd]-执行
另外,如果您是使用SAM CLI来到CodeStar的,这会让您感到困惑,因为在CLI中,您可以指定一个没有角色的lambda函数,SAM将为您创建它,例如:
$ sam init --name test_sam
$ cat test_sam/template.yml
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.lambdaHandler
Runtime: nodejs8.10
Environment:
Variables:
PARAM1: VALUE
Events:
HelloWorld:
Type: Api
Properties:
Path: /hello
Method: get
然而,在CodeStar中,这是行不通的,似乎您需要遵循CodeStar的示例并指定函数资源以及具有正确名称前缀的角色!例如。
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: python3.7
Role:
Fn::GetAtt:
- LambdaExecutionRole
- Arn
Events:
GetEvent:
Type: Api
Properties:
Path: /
Method: get
LambdaExecutionRole:
Description: Creating service role in IAM for AWS Lambda
Type: AWS::IAM::Role
Properties:
RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- ....
CodeStar服务使用一个名为aws CodeStar服务角色的服务角色,并使用以下语句。如果此服务角色允许项目的动态工作人员角色继承IAM角色创建操作,则可能需要修改此服务角色。否则CodeStar可能会覆盖您的更改。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ProjectStack",
"Effect": "Allow",
"Action": [
"cloudformation:*Stack*",
"cloudformation:GetTemplate"
],
"Resource": [
"arn:aws:cloudformation:*:*:stack/awscodestar-*",
"arn:aws:cloudformation:*:*:stack/awseb-*"
]
},
{
"Sid": "ProjectStackTemplate",
"Effect": "Allow",
"Action": [
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeChangeSet"
],
"Resource": "*"
},
{
"Sid": "ProjectQuickstarts",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::awscodestar-*/*"
]
},
{
"Sid": "ProjectS3Buckets",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::aws-codestar-*",
"arn:aws:s3:::aws-codestar-*/*",
"arn:aws:s3:::elasticbeanstalk-*",
"arn:aws:s3:::elasticbeanstalk-*/*"
]
},
{
"Sid": "ProjectServices",
"Effect": "Allow",
"Action": [
"codestar:*Project",
"codestar:*Resource*",
"codestar:List*",
"codestar:Describe*",
"codestar:Get*",
"codestar:AssociateTeamMember",
"codecommit:*",
"codepipeline:*",
"codedeploy:*",
"codebuild:*",
"ec2:RunInstances",
"autoscaling:*",
"cloudwatch:Put*",
"ec2:*",
"elasticbeanstalk:*",
"elasticloadbalancing:*",
"iam:ListRoles",
"logs:*",
"sns:*"
],
"Resource": "*"
},
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
{
"Sid": "ProjectTeamMembers",
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:DetachUserPolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::*:policy/CodeStar_*"
]
}
}
},
{
"Sid": "ProjectRoles",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:ListEntitiesForPolicy",
"iam:ListPolicyVersions"
],
"Resource": [
"arn:aws:iam::*:policy/CodeStar_*"
]
},
{
"Sid": "InspectServiceRole",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/aws-codestar-service-role"
]
}
]
}
也看到http://docs.aws.amazon.com/codestar/latest/userguide/access-permissions.html但正如您可能已经猜到的,它是相对较新的,文档没有涵盖您的用例。
-
我有一个Spring Boot项目,在IDE中运行时效果非常好。我想通过AWS CodeStar运行这个。不幸的是,CodeStar创建的默认Spring模板使用Spring MVC。 我不能用我的Spring Boot项目覆盖默认的Spring MVC项目(它不起作用)。例如,我可以将我的一些资源复制到MVC项目中index.html这是可行的。但是像Thymeleaf这样的功能不起作用。出于这
-
我正在尝试创建一个以Lambda函数为目标的AWS Eventbridge规则。我可以添加规则和目标,但当我尝试通过RoleArn设置lambda权限时,Cloudformation堆栈部署失败,目标arn不支持RoleArn:aws:lambda:us-east-1:1234567890:功能:联系lambda消费新客户。(服务:AmazonCloudWatchEvents;状态代码:400;错
-
我正在试用AWS Codestar。我的目标是部署一个非平凡的lambdaendpoint,即处理程序具有依赖关系的地方。理想情况下,我希望能够在文件,但这似乎不是那么简单。具体地说,我想部署一个依赖于nltk的lambda处理程序,其中nltk标记器“punkt”的文件作为代码构建过程的一部分下载,并为lambda打包。 如何通过和?下面,我试图将依赖项安装到子目录,并将其包含在zip工件中。
-
我已经创建了一个CodeStar项目(PythonWebService模板作为起点),并且正在使用vscode对其进行编辑。 到目前为止,我已经自定义生成的项目有两个lambdas。结构如下: 它使用“sam本地启动api”并使用AWS仪表板进行测试。 但是,除了在每个lambda上复制粘贴“. py”文件作为模块使用之外,我没有设法重用“lambda1”和“lambda2”之间的代码。尝试编辑r
-
我们有许多SecureString SSM参数存储值是通过bash脚本自动创建的。使用通过CloudFormation创建的特定于环境的KMS密钥+别名对其进行加密。 模板中还有EC2实例的IAM角色,它们需要允许检索和解密SSM参数。为了允许这一点,我们通过引用IAM角色ARN作为原则,在创建KMS密钥时授予对这些IAM角色的访问权。 但是,我们的AWS帐户中有一些非特定于环境的SSM变量,这些
-
我们有Cloudformation模板,我们通过它为我们的产品部署红外资源。下面是通过CF模板创建的AWS组件:1。网络组件。如VPC、子网、安全组等。IAM角色和策略。3.EMR 4。EKS 5。MSK 6。RDS7.弹性疼痛