如何将现有的自定义 IAM 角色分配为 Lambda 的执行角色。

huangapple go评论70阅读模式
英文:

How do I assign an existing custom IAM role as execution role for a lambda

问题

我正在尝试分配通过AWS控制台创建的现有角色,但我遇到错误 Resource handler returned message: "The role defined for the function cannot be assumed by Lambda.

const customRole = Role.fromRoleName(this, "MyAPIRole", "EXISTINGEXECUTIONROLENAME")

.
.
.

this.lambdaFunction = new Function(this, 'CrispSkillUpdateBot', {
      functionName: ,
      description: ,
      code: ,
      handler: 'xyz.lambda_handler',
      role: customRole,
      memorySize: 512,
      timeout: Duration.seconds(30),
      runtime: Runtime.PYTHON_3_8,
    });

我遇到错误 Resource handler returned message: "The role defined for the function cannot be assumed by Lambda.

英文:

I am trying to assign an existing role created via AWS console, but I face an error Resource handler returned message: "The role defined for the function cannot be assumed by Lambda.

const customRole = Role.fromRoleName(this,"MyAPIRole", "EXISTINGEXECUTIONROLENAME")

.
.
.

this.lambdaFunction = new Function(this, 'CrispSkillUpdateBot', {
      functionName: ,
      description: ,
      code: ,
      handler: 'xyz.lambda_handler',
      role: customRole,
      memorySize: 512,
      timeout: Duration.seconds(30),
      runtime: Runtime.PYTHON_3_8,
    });

I face an error Resource handler returned message: "The role defined for the function cannot be assumed by Lambda.

答案1

得分: 2

这不一定是与CDK相关的问题。您的角色需要一个信任策略,允许AWS Lambda服务主体来假定该角色。

查看文档。所需的信任策略如下:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

如果您的自定义角色也是通过CDK创建的,您可以使用以下方式:

const customRole = new Role(this, 'Role', {
    // ...
    assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
});
英文:

This is not a CDK-related problem necessarily. Your role needs a Trust Policy that allows AWS Lambda service principal to assume the role.

Check out the documentation. The required trust policy is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

If your custom role was also created in CDK, you could use the following:

const customRole = new Role(this, 'Role', {
    // ...
    assumedBy: new ServicePrincipal('lambda.amazonaws.com'),
});

huangapple
  • 本文由 发表于 2023年7月10日 17:13:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/76652314.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定