我正在尝试向组中的选定成员授予lambda执行访问权限。用户通过PingFederate进行身份验证。我在向联合身份用户授予此选择性访问权限时遇到问题。
我有一个附加到此角色的自定义 IAM 策略(允许 lambda 调用选择性)。尽管策略似乎通过了验证并且策略模拟显示允许访问,但当我尝试执行 lambda 函数时,我收到消息
Calling the invoke API action failed with this message: User:arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789012:function:my-lambda-function
这是我的策略:允许-lambda-invocation-selective
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
}
]
}
我错过了什么吗?
我试图理解你的问题。如果我做出了错误的假设,请纠正我。
- 每个组/用户都已经有自己的角色。
对用户进行身份验证时,他们具有其代入的角色。myuser1234,经过身份验证后,将获得arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234角色,对吧?是否可以为每个组创建一个角色并删除conditions属性(检查解释原因的第 2 项)?
// role-for-grp-l2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*"
}
]
}
aws:userid的问题
阅读有关密钥的文档aws:userid我们可以找到此密钥具有角色 id:caller-指定-role-name给出的值,
其中,角色 ID 是角色的唯一 ID,调用方指定的角色名称由传递给 AssumeRole 请求的 RoleSessionName 参数指定。
所以aws:userid像AIDAJQABLZS4A3QDU576Q:SomeNameYouGive一样有价值.因此,您的条件永远不会与arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234匹配,然后用户无法承担该操作。
- 以另一种方式使用条件
假设用户名RoleSessionName,您可以通过以下方式使用条件:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
}
]
}
如果您愿意,可以使用以下命令删除*通配符,使用 AWS CLI 获取role id:
aws iam get-role --role-name ROLE_NAME
并更改条件,如下所示:
"Condition": {
"StringEquals": {
"aws:userid": "ROLE_ID:myuser1234"
}
}