下面是我在SAM模板中编写的内容,用于赋予RDS调用lambda函数的权限。我添加了类似于其他服务的策略键来授予权限,但RDS似乎不是这种情况。
Type: AWS::RDS::DBInstance
Properties:
DBName: !Ref DBName
Engine: postgres
MasterUsername: !Ref DBUsername
DBInstanceClass: !Ref DBClass
DBInstanceIdentifier: testdb
DBSecurityGroups:
- !Ref DBSecurityGroup
AllocatedStorage: !Ref DBAllocatedStorage
MasterUserPassword: !Ref DBPassword
Policies:
- Statement:
- Sid: LambdaCrudPolicy
Effect: Allow
Action:
- lambda:InvokeFunction
Resource: !GetAtt TestFunction.Arn
获取错误:资源
DBInstance属性验证失败,消息:#:无关键
[Policies]是不允许的
我如何给我的实例lambda权限?
尝试AssociatedRoles,获取错误-尝试,但错误失败-资源处理程序返回消息:"无效的角色ARN: event- driver - Service - rootrole - 4pbv76o7
(Service: Rds, Status Code: 400, Request ID:
46bye4ae-ca93-4a17-b47b-6c397b862c81)">
(RequestToken:
70cxa135-8d79-838c-3b31-0b146ae75db1,
HandlerErrorCode: InvalidRequest)创建以下资源失败
这里是新的cft:
Description: The service contains the lambda function that handles the routing of emails.
Resources:
RootRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "rds.amazonaws.com"
Action:
- "sts:AssumeRole"
Path: "/"
Policies:
- PolicyName: RDSLambdaCrud
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: LambdaCrudPolicy
Effect: Allow
Action:
- lambda:InvokeFunction
Resource: "*"
DBInstance:
Type: AWS::RDS::DBInstance
Properties:
DBName: dbname
Engine: postgres
MasterUsername: dbuser
DBInstanceClass: db.t3.micro
DBInstanceIdentifier: artifacts
AllocatedStorage: 5
MasterUserPassword: qwert1234
AssociatedRoles:
- FeatureName: InvokeLambda
RoleArn: !Ref RootRole
我哪里错了?
您应该使用VPCSecurityGroups,而不是DBSecurityGroups。DBSecurityGroups的存在只是为了向后兼容,现在它不用于新的RDS实例。
在AWS::RDS::DBInstance中没有Policies属性。请参考可用于AWS::RDS::DBInstance的有效属性链接的AWS文档。