使用Cloudformation创建技能时出错

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了使用Cloudformation创建技能时出错相关的知识,希望对你有一定的参考价值。

我有一个月开发alexa技能,并希望通过Cloudformation创建。为此,我使用这个:

Lambda函数


   "AWSTemplateFormatVersion": "2010-09-09",
   "Description": "Lambda Function from Cloud Formation by Felix Vazquez",
   "Resources": 
      "Lambda1": 
         "Type": "AWS::Lambda::Function",
         "Properties": 
            "Code": 
               "S3Bucket": "felix-lambda-code",
               "S3Key": "hello_lambda.zip"
            ,
            "Description": "Test with Cloud Formation",
            "FunctionName": "Felix-hello-world1234",
            "Handler": "lambda_function.lambda_handler",
            "Role": "arn:aws:iam::776831754616:role/testRol",
            "Runtime": "python2.7"

Alexa Skill

"Resources": 
        "23LT3": 
            "Type": "Alexa::ASK::Skill",
            "Properties": 
                "AuthenticationConfiguration": 
                    "ClientId": "+my client ID+",
                    "ClientSecret": "+my client Secret+",
                    "RefreshToken": "+The token i generate via lwa+"
                ,
                "VendorId": "+my vendor ID+",
                "SkillPackage": 
                    "S3Bucket": "myskillpackagebucket",
                    "S3Key": "my_function10.zip",
                    "S3BucketRole": 
                        "Fn::GetAtt": [
                            "IAMRU6TJ",
                            "Arn"
                        ]
                    ,
                    "Overrides": 
                        "Manifest": 
                            "apis": 
                                "custom": 
                                    "endpoint": 
                                        "uri": 
                                            "Fn::GetAtt": [
                                                "Lambda1",
                                                "Arn"
                                            ]

现在ROLE


    "Resources": 
        "IAMRU6TJ": 
            "Type": "AWS::IAM::Role",
            "Properties": 
                "AssumeRolePolicyDocument": 
                    "Version": "2012-10-17",
                    "Statement": [
                        
                            "Effect": "Allow",
                            "Principal": 
                                "Service": [
                                    "s3.amazonaws.com",
                                    "lambda.amazonaws.com"
                                ]
                            ,
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        
                    ]
                ,
                "Path": "/",
                "Policies": [
                    
                        "PolicyName": "root",
                        "PolicyDocument": 
                            "Version": "2012-10-17",
                            "Statement": [
                                
                                    "Effect": "Allow",
                                    "Action": "*",
                                    "Resource": "*"
]]

技能取决于lambda和IAM角色。当我在几秒钟后“创建堆栈”时,它会给我这个错误:

无法承担所提供的角色。原因:拒绝访问(服务:AWSSecurityTokenService;状态代码:403;错误代码:AccessDenied;请求ID:b2e8762c-2593-11e9-b3ec-872599411915)

对于我使用的令牌

ask util generate-lwa-tokens --scope "alexa::ask:skills:readwrite alexa::ask:models:readwrite profile”

事件形象:

Event after execution

答案

你的Alexa :: ASK ::技能资源:23LT3['Properties']['SkillPackage']['S3BucketRole']

文档说明了授予Alexa服务权限以访问存储桶并检索技能包的角色的ARN。此角色是可选的,如果未提供,则必须使用允许此访问的策略配置存储桶,或者可以公开访问该存档,以便AWS CloudFormation创建该技能。

目前您的角色是允许s3.amazonaws.com和lambda.amazonaws.com承担一个可以在您的AWS账户中执行任何操作的角色,但是您需要允许“Alexa服务获得权限......”

最佳实践是使用必要的最小权限,但如果您只是测试它,我会得到它。

另一答案

我努力寻找随处记录的必要细节。这是我用来使这个工作的角色。

  AlexaReadRole:
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action:
              - sts:AssumeRole
            Effect: Allow
            Principal:
              Service:
                - alexa-appkit.amazon.com
            Sid: AllowServiceToAssumeRole
        Version: 2012-10-17
      Policies:
        - PolicyName: "AlexaS3Read"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action: "s3:GetObject"
                Resource: "arn:aws:s3:::<bucket-name>/<path-to-alexa-files>/*"
    Type: AWS::IAM::Role

以上是关于使用Cloudformation创建技能时出错的主要内容,如果未能解决你的问题,请参考以下文章

通过 cloudformation 创建 IAM 角色时 policyName 出错

在 AWS cloudformation 上理解 Apigateway 和嵌套堆栈时出错

创建没有资源的 CloudFormation 堆栈

在 CloudFormation yaml 中创建 BucketPolicy 时出错

部署 CloudFormation 堆栈以创建 ElasticBeanstalk 应用程序时出现 InsufficientPrivilegesException

AWS CLI 与控制台和 CloudFormation 堆栈