我有一个IAM组,可以为其用户分配一些权限。许多权限之一是访问Lambda函数。这些lambda函数在DynamoDB表中添加简单的注释。对于尝试在AWS控制台中测试Lambda的用户,响应为:
User: arn:aws:sts::11111111111:assumed-role/jd-176-LambdaToDynamoDBCommentTableRole-1QGT8KW7YAUAA/jd-176-LambdaCreationHelperSta-SaveCommentFunction-LQRLLIVVRDS5 is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:us-east-1:11111111111:table/aws-serverless-config
这很奇怪,因为它看起来像我允许dynamodb:GetItem,等等上arn:aws:dynamodb:us-east-1:11111111111:table/aws-serverless-config。
LambdaToDynamoDBCommentTableRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:11111111111:table/jd-176-BlogComment",
"arn:aws:dynamodb:us-east-1:11111111111:table/jd-176-serverless-config"
],
"Effect": "Allow",
"Sid": "AllowDynamoDB"
}
]
}
非常感谢您的帮助。如果需要更多信息,我们很乐意提供。
错误消息是正确的。它表明您正在尝试访问aws-serverless-config表,但是您LambdaToDynamoDBCommentTableRole仅允许访问:
如果要允许访问aws-serverless-config,则必须将其添加到LambdaToDynamoDBCommentTableRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:11111111111:table/jd-176-BlogComment",
"arn:aws:dynamodb:us-east-1:11111111111:table/jd-176-serverless-config",
"arn:aws:dynamodb:us-east-1:11111111111:table/aws-serverless-config"
],
"Effect": "Allow",
"Sid": "AllowDynamoDB"
}
]
}
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句