使用Cloudformation创建技能时出错
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用Cloudformation创建技能时出错相关的知识,希望对你有一定的参考价值。
我有一个月开发alexa技能,并希望通过Cloudformation创建。为此,我使用这个:
Lambda函数
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function from Cloud Formation by Felix Vazquez",
"Resources":
"Lambda1":
"Type": "AWS::Lambda::Function",
"Properties":
"Code":
"S3Bucket": "felix-lambda-code",
"S3Key": "hello_lambda.zip"
,
"Description": "Test with Cloud Formation",
"FunctionName": "Felix-hello-world1234",
"Handler": "lambda_function.lambda_handler",
"Role": "arn:aws:iam::776831754616:role/testRol",
"Runtime": "python2.7"
Alexa Skill
"Resources":
"23LT3":
"Type": "Alexa::ASK::Skill",
"Properties":
"AuthenticationConfiguration":
"ClientId": "+my client ID+",
"ClientSecret": "+my client Secret+",
"RefreshToken": "+The token i generate via lwa+"
,
"VendorId": "+my vendor ID+",
"SkillPackage":
"S3Bucket": "myskillpackagebucket",
"S3Key": "my_function10.zip",
"S3BucketRole":
"Fn::GetAtt": [
"IAMRU6TJ",
"Arn"
]
,
"Overrides":
"Manifest":
"apis":
"custom":
"endpoint":
"uri":
"Fn::GetAtt": [
"Lambda1",
"Arn"
]
现在ROLE
"Resources":
"IAMRU6TJ":
"Type": "AWS::IAM::Role",
"Properties":
"AssumeRolePolicyDocument":
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal":
"Service": [
"s3.amazonaws.com",
"lambda.amazonaws.com"
]
,
"Action": [
"sts:AssumeRole"
]
]
,
"Path": "/",
"Policies": [
"PolicyName": "root",
"PolicyDocument":
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "*",
"Resource": "*"
]]
技能取决于lambda和IAM角色。当我在几秒钟后“创建堆栈”时,它会给我这个错误:
无法承担所提供的角色。原因:拒绝访问(服务:AWSSecurityTokenService;状态代码:403;错误代码:AccessDenied;请求ID:b2e8762c-2593-11e9-b3ec-872599411915)
对于我使用的令牌
ask util generate-lwa-tokens --scope "alexa::ask:skills:readwrite alexa::ask:models:readwrite profile”
事件形象:
你的Alexa :: ASK ::技能资源:23LT3['Properties']['SkillPackage']['S3BucketRole']
文档说明了授予Alexa服务权限以访问存储桶并检索技能包的角色的ARN。此角色是可选的,如果未提供,则必须使用允许此访问的策略配置存储桶,或者可以公开访问该存档,以便AWS CloudFormation创建该技能。
目前您的角色是允许s3.amazonaws.com和lambda.amazonaws.com承担一个可以在您的AWS账户中执行任何操作的角色,但是您需要允许“Alexa服务获得权限......”
最佳实践是使用必要的最小权限,但如果您只是测试它,我会得到它。
我努力寻找随处记录的必要细节。这是我用来使这个工作的角色。
AlexaReadRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- alexa-appkit.amazon.com
Sid: AllowServiceToAssumeRole
Version: 2012-10-17
Policies:
- PolicyName: "AlexaS3Read"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "s3:GetObject"
Resource: "arn:aws:s3:::<bucket-name>/<path-to-alexa-files>/*"
Type: AWS::IAM::Role
以上是关于使用Cloudformation创建技能时出错的主要内容,如果未能解决你的问题,请参考以下文章
通过 cloudformation 创建 IAM 角色时 policyName 出错
在 AWS cloudformation 上理解 Apigateway 和嵌套堆栈时出错
在 CloudFormation yaml 中创建 BucketPolicy 时出错
部署 CloudFormation 堆栈以创建 ElasticBeanstalk 应用程序时出现 InsufficientPrivilegesException