AWS Lambda 从不用于 AWS Transfer Family 中的身份验证。

huangapple go评论94阅读模式
英文:

AWS Lambda is nerver called for authenticaion in AWS Transfer Family

问题

试图使用AWS Transfer Family设置AWS Lambda函数作为自定义身份提供者。不幸的是,Lambda从未被调用。每次调用身份提供者测试时,都会收到以下错误:

{
    "Response": "{}",
    "StatusCode": 403,
    "Message": "Lambda function configuration error: AccessDeniedException"
}

这是为Lambda角色定义的权限策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "lambda:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:eu-central-1:log.group.number:*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-central-1:087690012243:log-group:/aws/lambda/name-of-my-lambda:*"
        }
    ]
}

但我不确定这是否真的相关。感觉像是Transfer Family服务器缺少调用Lambda的权限。但我找不到任何设置来为Transfer Family服务器本身添加角色或策略。

有什么遗漏的地方吗?

英文:

I'm trying to set-up AWS transfer family with a AWS lambda function as a custom identity provider. Unfortunately the lambda is nerver called. Every time I call identity provicer testing I get:

{
    "Response": "{}",
    "StatusCode": 403,
    "Message": "Lambda function configuration error: AccessDeniedException"
}

These are the permission policies which are defined for the role of the lambda

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "lambda:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:eu-central-1:log.group.number:*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-central-1:087690012243:log-group:/aws/lambda/name-of-my-lambda:*"
        }
    ]
}

But I'm not sure this is really relevant. It feals like the transfer familiy server is lacking the right to call the lambda. But I cannot find any setting to add a role or policy to the transfer familiy server itself.

Any ideas what's missing?

答案1

得分: 2

lambda还需要一个基于资源的策略,允许aws transfer家族服务器调用它。这可以在lambda配置GUI的“Configuration”选项卡的底部配置。

必须输入以下值:

Statement ID
statement01
Principal
transfer.amazonaws.com
Effect
Allow
Action
lambda:InvokeFunction
Conditions
{
 "ArnLike": {
  "AWS:SourceArn": "arn:aws:transfer:eu-central-1:your-account-number:server/your-aws-transfer-family-server-id"
 }
}
英文:

The lambda also needs a resource-based policy which gives the aws transfer family server the right to call it. This can be configures at the very bottom of the lambda configuration gui in the "Configuration" tab.

The following values have to be entered:

Statement ID
statement01
Principal
transfer.amazonaws.com
Effect
Allow
Action
lambda:InvokeFunction
Conditions
{
 "ArnLike": {
  "AWS:SourceArn": "arn:aws:transfer:eu-central-1:your-account-number:server/your-aws-transfer-family-server-id"
 }
}

huangapple
  • 本文由 发表于 2023年3月9日 22:13:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/75685774.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定