1.错误背景:
我在通过serverless构建Lambda时,因Lambda需要以指定的SQS作为触发器,并且lambda会对SQS进行一些收发的操作。
2.分析原因:
“Invalid request provided: The provided execution role does not have permissions to call Rece”中提到了,错误缘由是因为lambda的权限不够所进行导致,但我在serverless.yaml文件中却指定了:
iamRoleStatements: # IAM role statements so that services can be accessed in the AWS account
- Effect: 'Allow'
Action:
- 'rds:*'
- 's3:*'
- 'sqs:*'
Resource: '*'
该权限指点Lambda对于RDS,S3,SQS都有任意权限,但问题任然存在。
3.正确思路(非lambda引起的报错都可以参考):
创建一个IAM角色,对于该角色进行策略授权,策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-west-2:888888888888:log-group:/aws/lambda/log-monitor-prod*:*"
],
"Effect": "Allow"
},
{
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-west-2:888888888888:log-group:/aws/lambda/log-monitor-prod*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"rds:*",
"s3:*",
"sqs:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-west-2:888888888888:log_monitor_prod"
],
"Effect": "Allow"
}
]
}
(Resource的账号需要修改为自己的部分)
IAM的角色绑定两个权限:AWSLambdaVPCAccessExecutionRole 与“刚才自建” 策略
4.修改serverless,将自建的IAM角色给lambda进行绑定。
role: arn:aws:iam::888888888888:role/log-monitor-us-west-2-lambdaRole # 使用指定的IAM角色ARN
log-monitor-us-west-2-lambdaRole为自建IAM角色名
总结:报错原因就是程序的权限不够造成的,按照我的策略进行权限给予就行了。