这是 lambda 基础设施:
const lambdaFn = new NodejsFunction(this, "TestSTSLambda", {
memorySize: 1024,
timeout: cdk.Duration.seconds(30),
runtime: Runtime.NODEJS_20_X,
handler: "handler",
entry: path.join(__dirname, `../../handlers/lambda-assume-sts-role.ts`),
});
lambdaFn.addToRolePolicy(
new PolicyStatement({
effect: Effect.ALLOW,
sid: "AllowSTSAssimeRole",
actions: ["sts:AssumeRole"],
resources: ["*"],
})
);
这是 lambda 代码:
import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
export async function handler() {
const stsClient = new STSClient({ region: "eu-central-1" });
const result = await stsClient.send(
new AssumeRoleCommand({
RoleArn:
"arn:aws:iam::1111111111:role/SomeRoleInTheSameAccount",
RoleSessionName: "mySession",
DurationSeconds: 3600, // 1 hour
})
);
console.log(`result = `, result);
return {
status: "OKAY",
};
}
我收到以下错误:
errorType": "访问被拒绝", "errorMessage": "用户:arn:aws:sts::111111111:assumed-role/TestLambdaxyz/TestLambdaWithSts-TestSTSLambdasUyoI 无权对资源执行:sts:AssumeRole:arn:aws:iam::1111111111:role/TestLambdaWithSts-测试STSLambdaServiceRoleASDASD",
查看
TestLambdaWithSts-TestSTSLambdaServiceRoleASDASD{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}