如何更改AWS CodeStar項目的CloudFormation模板中的Lambda函數的IAM角色?更改CodeStar項目中CloudFormation模板中Lambda的IAM角色?
我已經創建了AWS CodeStar項目(Web服務,基於Lambda,Node.js)。默認情況下,AWS CodeStar生成以下CloudFormation:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role:
Fn::ImportValue:
!Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
Events:
GetEvent:
Type: Api
Properties:
Path:/
Method: get
PostEvent:
Type: Api
Properties:
Path:/
Method: post
現在,我想換成我自己的角色這個角色,因爲我需要爲lambda函數訪問其他AWS資源補充政策。同時我也刪除API網關,因爲我將添加一個調度後觸發LAMBDA調用:
AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar
Parameters:
ProjectId:
Type: String
Description: AWS CodeStar projectID used to associate new resources to team members
Resources:
HelloWorld:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs4.3
Role: !Ref HelloWorldLambdaRole
HelloWorldLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
然而,當我承諾,推動這些變化,AWS CodePipeline無法更新CloudFormation模板:
CREATE_FAILED AWS::IAM::Role EchoLambdaRole API: iam:CreateRole User: arn:aws:sts::[accountId]:assumed-role/CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::[accountId]:role/awscodestar-[projectId]-lambda-HelloWorldLambdaRole-ABCDEF123456
在此基礎上的反饋,我的結論是CodeStarWorker-[projectId]-CloudFormation/AWSCloudFormation
角色無權創建IAM角色。然而,這個角色對我的CloudFormation模板是隱藏的,而且我的理解是CodeStar自動設置的。作爲AWS賬戶管理員,我只需編輯相關策略,但恕我直言,這不是解決此問題的方法。
編輯:
我已經檢查IAM配置在我的帳戶。一個aws-codestar-service-role已創建,它與AWSCodeStarServiceRole
政策具有以下語句(其它報表中,見鏈接瞭解詳細信息)相關:
{
"Sid": "ProjectWorkerRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:SetDefaultPolicyVersion",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:role/CodeStarWorker*",
"arn:aws:iam::*:policy/CodeStarWorker*",
"arn:aws:iam::*:instance-profile/awscodestar-*"
]
},
也有CodeStarWorker-[projectId]-CloudFormation
的作用,有一個名爲CodeStarWorkerCloudFormationRolePolicy
內嵌政策具有以下配置:
{
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws-chargeodestar-eu-west-1-[accountId]-[projectId]-pipeline",
"arn:aws:s3:::aws-codestar-eu-west-1-[accountId]-[projectId]-pipeline/*"
],
"Effect": "Allow"
},
{
"Action": [
"codestar:SyncResources",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:AddPermission",
"lambda:UpdateFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:RemovePermission",
"apigateway:*",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:ListTopics",
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
"s3:CreateBucket",
"s3:DeleteBucket"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::[accountId]:role/CodeStarWorker-[projectId]-Lambda"
],
"Effect": "Allow"
},
{
"Action": [
"cloudformation:CreateChangeSet"
],
"Resource": [
"arn:aws:cloudformation:eu-west-1:aws:transform/Serverless-2016-10-31",
"arn:aws:cloudformation:eu-west-1:aws:transform/CodeStar"
],
"Effect": "Allow"
}
]
}
自從我創建的項目中,CodeStar_[projectId]_Owner
政策已經直接連接到我的用戶。
編輯2:
儘管我自己的建議,我試圖通過添加以下政策聲明更新CodeStarWorker-[projectId]-CloudFormation
作用的內聯CodeStarWorkerCloudFormationRolePolicy
:
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::699602212296:role/awscodestar-[projectId]-*"
],
"Effect": "Allow"
}
然而,這引起了CloudFormation中出現以下錯誤:
CREATE_FAILED AWS::CodeStar::SyncResources SyncResources123456789012 com.amazon.coral.service.InternalFailure
請您詳細說明一下嗎?我不明白我應該如何修改服務角色?我確實有一個'aws-codestar-service-role'(參見我的編輯),並且已經驗證它具有作爲「ProjectWorkerRoles」Sid的一部分的'iam:CreateRole'(和'iam:DeleteRole')如你的答案中所建議的那樣。 – matsev
Hi matsev,看起來像ProjectWorker由CodeStar創建的IAM角色不會繼承任何創建或刪除角色操作,因爲該策略已經具有PassRole但未通過,所以我上面的建議無濟於事。根據您的編輯,我建議使用AWS提出支持憑單(對不起)。 – NHol