英文:
AWS Lambda is nerver called for authenticaion in AWS Transfer Family
问题
试图使用AWS Transfer Family设置AWS Lambda函数作为自定义身份提供者。不幸的是,Lambda从未被调用。每次调用身份提供者测试时,都会收到以下错误:
{
"Response": "{}",
"StatusCode": 403,
"Message": "Lambda function configuration error: AccessDeniedException"
}
这是为Lambda角色定义的权限策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"lambda:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:eu-central-1:log.group.number:*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-central-1:087690012243:log-group:/aws/lambda/name-of-my-lambda:*"
}
]
}
但我不确定这是否真的相关。感觉像是Transfer Family服务器缺少调用Lambda的权限。但我找不到任何设置来为Transfer Family服务器本身添加角色或策略。
有什么遗漏的地方吗?
英文:
I'm trying to set-up AWS transfer family with a AWS lambda function as a custom identity provider. Unfortunately the lambda is nerver called. Every time I call identity provicer testing I get:
{
"Response": "{}",
"StatusCode": 403,
"Message": "Lambda function configuration error: AccessDeniedException"
}
These are the permission policies which are defined for the role of the lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"lambda:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:eu-central-1:log.group.number:*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-central-1:087690012243:log-group:/aws/lambda/name-of-my-lambda:*"
}
]
}
But I'm not sure this is really relevant. It feals like the transfer familiy server is lacking the right to call the lambda. But I cannot find any setting to add a role or policy to the transfer familiy server itself.
Any ideas what's missing?
答案1
得分: 2
lambda还需要一个基于资源的策略,允许aws transfer家族服务器调用它。这可以在lambda配置GUI的“Configuration”选项卡的底部配置。
必须输入以下值:
Statement ID
statement01
Principal
transfer.amazonaws.com
Effect
Allow
Action
lambda:InvokeFunction
Conditions
{
"ArnLike": {
"AWS:SourceArn": "arn:aws:transfer:eu-central-1:your-account-number:server/your-aws-transfer-family-server-id"
}
}
英文:
The lambda also needs a resource-based policy which gives the aws transfer family server the right to call it. This can be configures at the very bottom of the lambda configuration gui in the "Configuration" tab.
The following values have to be entered:
Statement ID
statement01
Principal
transfer.amazonaws.com
Effect
Allow
Action
lambda:InvokeFunction
Conditions
{
"ArnLike": {
"AWS:SourceArn": "arn:aws:transfer:eu-central-1:your-account-number:server/your-aws-transfer-family-server-id"
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论