【发布时间】:2019-03-13 14:29:26
【问题描述】:
我正在尝试使用 AWS sdk 例如在 AWS stepfunctions 中创建状态机,
stepfunctions.createStateMachine(params, function(err, data)...
我在 AWS 控制台中创建了一个 lambda,并添加了用于创建状态机的代码。我还为角色提供了执行此 lambda 并创建状态机的权限。我也使用模拟器验证了角色权限,这很好(允许)。但是当我执行 lambda 时,我得到了 AcccessDeniedException。
errorMessage": "User: arn:aws:sts::555555555:assumed-role/SFN_API_role/SFAPITest is not authorized to perform: states:CreateStateMachine on resource: arn:aws:states:us-east-1:555555555:stateMachine:*",
"errorType": "AccessDeniedException
“SFN_API_role”是角色,“SFAPITest”是 lambda。 这是定义的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:DeleteStateMachine",
"states:ListExecutions"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StopExecution"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeActivity",
"states:DeleteActivity",
"states:GetActivityTask",
"states:SendTaskSuccess",
"states:SendTaskFailure",
"states:SendTaskHeartbeat"
],
"Resource": [
"*"
]
}
]
}
任何指针表示赞赏!
【问题讨论】:
-
我认为日志已经很清楚了——拒绝访问异常,这意味着您所承担的角色没有创建状态机的权限
标签: amazon-web-services aws-lambda aws-step-functions aws-iam amazon-iam