如何解决“在集成或 API 网关上配置的 IAM 角色没有调用集成的权限
Posted
技术标签:
【中文标题】如何解决“在集成或 API 网关上配置的 IAM 角色没有调用集成的权限【英文标题】:How to solve "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration 【发布时间】:2021-12-18 04:35:10 【问题描述】:我有一个 lambda 函数和一个 apigatewayv2。我正在通过 terraform 创建所有内容,如下所示。
resource "aws_lambda_function" "prod_options"
description = "Production Lambda"
environment
variables = var.prod_env
function_name = "prod-func"
handler = "index.handler"
layers = [
aws_lambda_layer_version.node_modules_prod.arn
]
memory_size = 1024
package_type = "Zip"
reserved_concurrent_executions = -1
role = aws_iam_role.lambda_exec.arn
runtime = "nodejs12.x"
s3_bucket = aws_s3_bucket.lambda_bucket_prod.id
s3_key = aws_s3_bucket_object.lambda_node_modules_prod.key
source_code_hash = data.archive_file.lambda_node_modules_prod.output_base64sha256
timeout = 900
tracing_config
mode = "PassThrough"
和角色
resource "aws_iam_role_policy_attachment" "lambda_policy"
role = aws_iam_role.lambda_exec.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
resource "aws_iam_role" "lambda_exec"
name = "api_gateway_role"
assume_role_policy = jsonencode(
"Version": "2012-10-17",
"Statement": [
"Sid": "",
"Effect": "Allow",
"Principal":
"Service": [
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
,
"Action": "sts:AssumeRole"
]
)
然后是权限
resource "aws_lambda_permission" "prod_api_gtw"
statement_id = "AllowExecutionFromApiGateway"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.prod_options.function_name
principal = "apigateway.amazonaws.com"
source_arn = "$aws_apigatewayv2_api.gateway_prod.execution_arn/*/*"
在我部署并尝试调用 url 后,我得到以下错误
"integrationErrorMessage": "在集成或 API Gateway 上配置的 IAM 角色没有调用集成的权限。请检查权限并重试。",
我已经被这个问题困扰了一段时间了。我该如何解决这个错误?
【问题讨论】:
您的错误表明 API Gateway 已成功承担角色,但该角色没有调用您的 lambda 的权限。你确定你的最后一个权限块是正确的吗?我会尝试授予它调用任何 lambda 的权限,如果这解决了您的问题,您可以弄清楚如何正确指定您需要的 lambda 【参考方案1】:您可能必须创建一个Lambda permission 以允许从 API 网关资源执行:
resource "aws_lambda_permission" "apigw_lambda"
statement_id = "AllowExecutionFromAPIGateway"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.layout_editor_prod_options.function_name
principal = "apigateway.amazonaws.com"
# The /*/*/* part allows invocation from any stage, method and resource path
# within API Gateway REST API.
source_arn = "$aws_api_gateway_rest_api.rest_api.execution_arn/*/*/*"
另外,对于 Lambda lambda_exec,您不需要 apigateway.amazonaws.com 主体。我们不需要这个的原因是 execution role 应用于该函数并允许它与其他 AWS 服务交互。另一方面,这不允许 API 网关做任何事情,因为我们需要一个 Lambda permission。
resource "aws_iam_role" "lambda_exec"
name = "lambda_exec_role"
assume_role_policy = <<EOF
"Version": "2012-10-17",
"Statement": [
"Action": "sts:AssumeRole",
"Principal":
"Service": "lambda.amazonaws.com"
,
"Effect": "Allow",
"Sid": ""
]
EOF
另一方面,我会向 Lambda 执行角色添加一个策略,以便能够登录到 CloudWatch。这可能对进一步调试有用:
resource "aws_iam_policy" "lambda_logging"
name = "lambda_logging"
path = "/"
description = "IAM policy for logging from a lambda"
policy = <<EOF
"Version": "2012-10-17",
"Statement": [
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
]
EOF
resource "aws_iam_role_policy_attachment" "lambda_logs"
role = aws_iam_role.lambda_exec.name
policy_arn = aws_iam_policy.lambda_logging.arn
【讨论】:
以上是关于如何解决“在集成或 API 网关上配置的 IAM 角色没有调用集成的权限的主要内容,如果未能解决你的问题,请参考以下文章