我在一个帐户上有一个lambda附加了这个政策:
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:root"},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
}
当我从帐户115333656057创建一个堆栈,我的用户尝试执行lambda时出现此错误:
User: arn:aws:iam::115333656057:user/uguesm is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-central-1:260143830488:function:CentralizedInstanceScheduler-InstanceSchedulerMain
我究竟做错了什么?
在帐户260143830488中 - 编辑您的角色以将策略添加到InvokeFunction,并将信任策略添加到另一个帐户。
权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-central-1:260143830488:function:CentralInstanceScheduler-InstanceSchedulerMain"
},
]
}
信托关系政策:
{
"Sid": "Id-123",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::115333656057:role/<lambda-role>"},
"Action": "sts:AssumeRole",
}
在帐户115333656057中 - 为AssumeRole创建一个lambda执行角色
权限:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::260143830488:role/<RoleName>"
}
}
信托关系政策:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}