AWS Lambda 在调用 Redshift 'CreateCluster'操作时收到'Access Denied'错误，即使 IAM 角色具有完全 Redshift 权限也是如此

我有一个用python 2.7编写的lambda函数（rsops），以通过调用boto3的'create_cluster（）'方法：

来创建红移群集。

def spinup_cluster(CID, RSU, RSP, RSDB, RSSG, RSAZ, RSPG):
    RSC = boto3.client('redshift', region_name=RSAZ[:-1])
    return RSC.create_cluster(
        DBName=RSDB,
        ClusterIdentifier=CID,
        ClusterType='multi-node',
        NodeType='ds2.xlarge',
        MasterUsername=RSU,
        MasterUserPassword=RSP,
        VpcSecurityGroupIds=[RSSG],
        ClusterSubnetGroupName='data',
        AvailabilityZone=RSAZ,
        PreferredMaintenanceWindow='sun:03:00-sun:03:30',
        ClusterParameterGroupName=RSPG,
        AutomatedSnapshotRetentionPeriod=1,
        Port=5439,
        ClusterVersion='1.0',
        AllowVersionUpgrade=True,
        NumberOfNodes=2,
        PubliclyAccessible=True,
        Tags=[
            {
                'Key': 'product',
                'Value': 'data'
            },
        ],
        Encrypted=False)

分配给此lambda功能的IAM角色已完全访问RedShift（用于测试目的）：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LambdaInvokeLambda",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:us-east-1:012345678901:function:spinuprs*",
                "arn:aws:lambda:us-east-1:012345678901:function:rsops*"
            ]
        },
        {
            "Sid": "PassRoleOverToUser",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:lambda:us-east-1:012345678901:function:rsops*",
                "arn:aws:redshift:us-east-1:012345678901:cluster:*",
                "arn:aws:redshift:us-west-2:012345678901:cluster:*"
            ]
        },
        {
            "Sid": "RSAccess",
            "Action": "redshift:*",
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

信托政策授予ec2，lambda和redshift的pers'限制：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "redshift.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

在

Spin up testcluster (us-east-1, 1-node) ...
Traceback (most recent call last):
  File "./rsops.py", line 163, in <module>
    resp=spinup_cluster(cid, rsu, rsp, rsdb, rssg, rsaz, rspg)
  File "./rsops.py", line 87, in spinup_cluster
    Encrypted=False)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/usr/local/lib/python2.7/site-packages/botocore/client.py", line 624, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.UnauthorizedOperation: An error occurred (UnauthorizedOperation) when calling the CreateCluster operation: Access Denied. Please ensure that your IAM Permissions allow this operation.

我可以毫无问题地调用delete_cluster（）和Dorcord_clusters（），我还从boto3 sts api中称为'get_caller_identity（）'以验证其使用正确的IAM角色。

我正在在一个通过NAT实例访问Internet的私有子网中运行Lambda功能，但是私有子网不应该是问题，因为我有其他lambda func在其中运行。我在同一子网中具有以下环境的实例，并附上相同的IAM角色，但我仍然遇到相同的错误：

AMI: amzn-ami-hvm-2018.03.0.20181129-x86_64-gp2
Python version: 2.7.14
boto3 version: 1.9.64

如果需要更多细节，请告诉我。我一直试图调试一个星期，但我无法弄清楚，任何帮助都将不胜感激！

ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeAvailabilityZones
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs
ec2:DescribeInternetGateways