我有以下serverless.yml文件,该文件通过创建S3 bucket和lambda函数将应用程序部署到AWS中。然而,为lambda函数创建的IAM角色是允许登录CloudFront(见下文(而不是访问S3的标准角色。IAM角色中定义的授权未授予lambda。我遗漏了什么吗?我是否必须引用serverless.yml中lambda函数定义中的IAM角色?
service: webanalysistool
custom:
stage: ${opt:stage, 'dev'}
# plugins:
# - serverless-offline
provider:
name: aws
runtime: nodejs14.x
memorySize: 1024
stage: ${self:custom.stage}
# todo change it to your aws config
profile: cl_dev
versionFunctions: false
environment:
bucketName: "webanalysistool-${self:custom.stage}"
architecture: arm64
iam:
role:
statements:
# Allow functions to list all buckets
- Effect: Allow
Action: "s3:ListBucket"
Resource: "*"
# Allow functions to read/write objects in a bucket
- Effect: Allow
Action:
- "s3:GetObject"
- "s3:PutObject"
Resource:
- "arn:aws:s3:::${self:provider.environment.bucketName}/*"
package:
exclude:
- "node_modules/aws-sdk/**"
functions:
analyse:
handler: src/handler.start
timeout: 150
events:
- s3:
bucket: ${self:provider.environment.bucketName}
event: s3:ObjectCreated:*
rules:
- prefix: input/
在部署期间为lambda函数创建的IAM角色(我屏蔽了AWS ID(:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:999999999999:log-group:/aws/lambda/webanalysistool-dev*:*"
],
"Effect": "Allow"
},
{
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:999999999999:log-group:/aws/lambda/webanalysistool-dev*:*:*"
],
"Effect": "Allow"
}
]
}
为我工作
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:PutObject"
- "s3:GetObject"
- "s3:PutBucketAcl"
- "s3:PutObjectAcl"
- "s3:DeleteObject"
Resource:
- "arn:aws:s3:::${YOU_BUCKET}/*"
events:
- s3:
existing: true
bucket:
!Ref YOU_BUCKET
event: s3:ObjectCreated:*
rules:
- prefix: input/