我在账户A中有代码构建,构建规范包含更新位于账户B中的lambda函数的步骤。请注意,S3包含zip文件,S3在账户A本身中。
附加到代码生成的角色是roleA。
假设我们有两个角色:
- 账户A中的角色A
- 账户B中的角色B
roleA信任关系策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
角色A的附加策略:
- S3FullAccess
- 代码构建策略
- LambdaFullAccess
- 交叉账户政策
交叉账户政策:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNTID_B:role/roleB"
}
}
角色B信任关系政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID_A:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
角色B的附加策略:
- AWSLambda_FullAccess
当我运行代码构建时,我得到以下错误:
An error occurred (AccessDeniedException) when calling the UpdateFunctionCode operation: User: arn:aws:sts::ACCOUNTID_A:assumed-role/roleA/AWSCodeBuild-01f59836-f3e4-9732-d910-ff40967882f9 is not authorized to perform: lambda:UpdateFunctionCode on resource: arn:aws:lambda:us-west-1:ACCOUNTID_B:function:lambdafunctionhere because no resource-based policy allows the lambda:UpdateFunctionCode action
Buildspec文件:
version: 0.2
phases:
build:
commands:
- aws --version
- aws lambda update-function-code --function-name arn:aws:lambda:us-west-1:ACCOUNTID_B:function:lambdafunctionnamehere --s3-bucket s3_zip_accountA --s3-key Lambda/package.zip
您可以向lambda函数添加资源策略(这与IAM策略不同(:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowUpdateFunction",
"Effect": "Allow",
"Principal": {
"AWS": "ARN of code build role"
},
"Action": "lambda:UpdateFunctionCode",
"Resource": "<ARN of lambda function>"
}
]
}