提问人:viswanath thatha 提问时间:9/28/2023 最后编辑:Ermiya Eskandaryviswanath thatha 更新时间:10/3/2023 访问量:26
Lambda 脚本中出现 AWS 基于身份的策略错误
AWS identity-based policy error in Lambda script
问:
我有一个 lambda 脚本来构建自定义指标,以通知我们 ECS Fargate python 脚本中的错误。下面是使用的代码块:
def get_error_count():
log_streams = logs.describe_log_streams(
logGroupName=log_group_name,
orderBy='LastEventTime',
descending=True,
limit=1)['logStreams']
if log_streams:
log_stream_name = log_streams[0]['logStreamName']
print(f"Search for log steam {log_stream_name}")
response = logs.filter_log_events(
logGroupName=log_group_name,
logStreamNames=[log_stream_name],
filterPattern=filter_pattern,
interleaved=False)
但是,在 lambda 函数中执行脚本时,出现以下错误消息:
[错误]ClientError:调用 DescribeLogStreams 操作时出错 (AccessDeniedException):用户:arn:aws:sts::253579060874:assumed-role/cloudwatch_custom_metric-role-2c9dwrgu/cloudwatch_custom_metric 无权在资源上执行:logs:DescribeLogStreams:arn:aws:logs:us-west-1:253579060874:log-group:/ecs/github-pr:log-stream:因为没有基于身份的策略允许 logs:DescribeLogStreams 操作
我已经为资源附加了 logs:DescribeLogStreams 策略,下面是该策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:*",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:GetRole",
"iam:ListRoles",
"events:PutRule",
"events:ListRules",
"events:DeleteRule",
"events:DescribeEventBus",
"events:ListEventBuses",
"events:ListTargetsByRule",
"events:PutTargets",
"events:RemoveTargets",
"schemas:ListDiscoverers",
"cloudformation:DescribeStacks",
"s3:ListAllMyBuckets",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability",
"ecr:InitiateLayerUpload",
"ecr:CompleteLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:GetRepositoryPolicy",
"ecr:DeleteRepository",
"cloudwatch:GetMetricData",
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:GetBucketAcl",
"s3:ListAccessPoints"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::latticework*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::latticework*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-skilljar-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-skilljar-data*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-finance-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-finance-data*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::s3-aws-cost-data*/*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketVersioning",
"s3:CreateBucket",
"s3:PutBucketOwnershipControls",
"s3:PutBucketPublicAccessBlock",
"s3:ListBucketVersions",
"s3:DeleteBucket",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::s3-aws-cost-data*"
},
{
"Effect": "Allow",
"Action": "iam:ChangePassword",
"Resource": "arn:aws:iam::253579060874:user/${lambda_user}"
}
]
}
但仍然会出现错误。请帮忙
已存在不起作用的内联策略
答:
0赞
viswanath thatha
10/3/2023
#1
问题已解决。
问题是策略未与 Lambda 脚本角色映射。 因此,采用了分配给 lambda 脚本的角色,并将策略分配给该角色
评论