我正在研究SAM模板,以在AWS无服务器存储库中发布我的应用程序。但是,当我尝试为我的lambda添加策略时,它会显示出错误:无效的无服务器应用程序规范文档。发现错误的数量:1。错误:带有ID的资源[SyncPostDataFromsFlambda]无效。仅在"政策"属性中支持策略模板。
下面是我的SAM模板的示例:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Transform": "AWS::Serverless-2016-10-31",
"Description": "Deployment",
"Resources": {
"SyncPostDataToSfLambda": {
"Type": "AWS::Serverless::Function",
"Properties": {
"Handler": "index.handler",
"FunctionName": "myLambdaFunction",
"CodeUri": "s3 URL",
"Runtime": "nodejs6.10",
"MemorySize": 512,
"Policies": [
"AmazonDynamoDBFullAccess"
],
"Events": {
"PostResource": {
"Type": "Api",
"Properties": {
"RestApiId": {
"Ref": "API"
},
"Path": "/apipath",
"Method": "post"
}
}
}
}
}
}
}
截至今天(2018-10-09(,SAM模板已经支持内联策略文档。
这是一个示例: -
Resources:
SomeFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs8.10
Policies:
- Statement:
- Sid: SSMDescribeParametersPolicy
Effect: Allow
Action:
- ssm:DescribeParameters
Resource: '*'
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
Resource: '*'
参考:
- aws :: serverless :: function的策略 aws sam规范上的属性
- github上的相关问题
以下是官方回购示例中的策略模板的完整列表。
Transform: AWS::Serverless-2016-10-31
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: src/
Handler: index.handler
Runtime: nodejs4.3
Policies:
- SQSPollerPolicy:
QueueName: name
- LambdaInvokePolicy:
FunctionName: name
- CloudWatchPutMetricPolicy: {}
- EC2DescribePolicy: {}
- DynamoDBCrudPolicy:
TableName: name
- DynamoDBReadPolicy:
TableName: name
- SESSendBouncePolicy:
IdentityName: name
- ElasticsearchHttpPostPolicy:
DomainName: name
- S3ReadPolicy:
BucketName: name
- S3CrudPolicy:
BucketName: name
- AMIDescribePolicy: {}
- CloudFormationDescribeStacksPolicy: {}
- RekognitionDetectOnlyPolicy: {}
- RekognitionNoDataAccessPolicy:
CollectionId: id
- RekognitionReadPolicy:
CollectionId: id
- RekognitionWriteOnlyAccessPolicy:
CollectionId: id
- RekognitionLabelsPolicy: {}
- SQSSendMessagePolicy:
QueueName: name
- SNSPublishMessagePolicy:
TopicName: name
- VPCAccessPolicy: {}
- DynamoDBStreamReadPolicy:
TableName: name
StreamName: name
- KinesisStreamReadPolicy:
StreamName: name
- SESCrudPolicy:
IdentityName: name
- SNSCrudPolicy:
TopicName: name
- KinesisCrudPolicy:
StreamName: name
- KMSDecryptPolicy:
KeyId: keyId
- SESBulkTemplatedCrudPolicy:
IdentityName: name
- SESEmailTemplateCrudPolicy: {}
- FilterLogEventsPolicy:
LogGroupName: name
- StepFunctionsExecutionPolicy:
StateMachineName: name
看来,当前只能使用 SAM策略模板。
aws在此处维护权威信息/SAM政策模板的概述:https://docs.aws.amazon.com/serverlessrepo/latest/devguide/using-aws-aws-sam.html
本文档还指出,如果您需要进一步的AWS资源和/或策略模板,则应联系AWS支持。
可以在此处找到一个简短的概述和示例:https://github.com/awslabs/serverless-application-model/blob/blob/master/master/examples/2016-10-31/policy_templates/all_policy_policy_templates。yaml
这是发布此答案时当前支持的SAM策略模板的概述:
- sqspollerpolicy(提供SQS:Deletemessage,SQS:CeartiveMessage(
- lambdainvokepolicy(提供lambda:InvokeFunction(
- CloudWatchputmetricpolicy(提供CloudWatch:putmetricdata(
- ec2DeScribepolicy(提供EC2:DeficteReRegions,EC2:DescriptInstances(
- dynamodbcrudpolicy(提供dynamoDB:getItem,dynamodb:demeTeItem,dynamodb:putItem,dynamodb:scan,dynamodb:query,dynamodb:updateItiTem,dynamodem,dynamodb:batchWriteItem,dynamodem,dynamodem,dynamodem:batchgetItem:batchgetItem( ( (
- dynamodbreadpolicy(提供dynamoDB:getItem,dynamodb:scan,dynamodb:query,dynamodb:batchgetItem(
- SessendBouncePolicy(提供SES:SENDBOUNCE(
- elasticsearchhttpppostpolicy(提供ES:ESHTTPPPOST(
- S3ReadPolicy(提供S3:GetObject,S3:ListBucket,S3:GetBucketLocation,S3:GetObjectVersion,S3:GetLifeCyCleconFiguration(
- s3crudpolicy(提供S3:getObject,s3:listBucket,s3:getBucketLocation,s3:getObjectversion,s3:putobject,s3:getlifecycleconfiguration,s3:putlifecyclecyconfiguration(
- Amidescripcribricy(提供EC2:DECUDECMIMAGES(
- cloudformationDescribestackspolicy(提供云形式:Describestacks(
- rekognitionnodataAccesspolicy(提供重新认知:comparefaces,rekognition:fintectfaces,rekognition:fintectlabels,rekognition:detectModerationLabels ( (
- rekognitionReadPolicy(提供重新认知:listCollections,rekognition:listfaces,rekognition:searchfaces,rekognition:searchfacesbyimage(
- rekognitionwriteonlyaccesspolicy(提供重新认知:createCollection,rekognition:indexfaces(
- SQSSENDMESSAGEPOLICY(提供SQS:SENDMESSAGE*(
- snspublishMessagePolicy(提供SNS:Publish(
- VPCACCESSPOLICY(提供EC2:CreateNetworkInterface,EC2:DeletEnetworkInterface,EC2:DecitdeNetworkInterfaces,EC2:distachnetworkinterface( (
- dynamodbstreamreadpolicy(提供dynamodb:decitizonEstream,dynamodb:getRecords,dynamodb:getShardIterator,dynamodb:listStreams(
- kinesisstreamreadpolicy(提供kinesis:listStreams,kinesis:Defictelimits(
- sescrudpolicy(提供SES:geniDentityVerificationAttributes,ses:sendemail,ses:verifyemailidentity(
- snscrudpolicy(提供sns:listSubscriptions bytybytybyty,sns:centetopic,sns:settopicattributes,sns:subscribe,sns:sns:publish( ( 运动式:Splitshard,Kinesis:removetagsfromstream(
- kmsdecryptpolicy(提供kmms:decrypt(
几乎必须配置这些策略模板中的任何一个。请阅读有关如何配置这些模板的AWS文档(链接(。