如何解决“在集成或 API 网关上配置的 IAM 角色没有调用集成的权限

Posted

技术标签:

【中文标题】如何解决“在集成或 API 网关上配置的 IAM 角色没有调用集成的权限【英文标题】:How to solve "The IAM role configured on the integration or API Gateway doesn't have permissions to call the integration 【发布时间】:2021-12-18 04:35:10 【问题描述】:

我有一个 lambda 函数和一个 apigatewayv2。我正在通过 terraform 创建所有内容,如下所示。

resource "aws_lambda_function" "prod_options" 
  description = "Production Lambda"
  environment 
    variables = var.prod_env

  
  
  function_name                  = "prod-func"
  handler                        = "index.handler"
  layers                         = [
                                    aws_lambda_layer_version.node_modules_prod.arn
                                   ]
  memory_size                    = 1024
  package_type                   = "Zip"
  reserved_concurrent_executions = -1
  role                           = aws_iam_role.lambda_exec.arn
  runtime                        = "nodejs12.x"
  s3_bucket                      = aws_s3_bucket.lambda_bucket_prod.id
  s3_key                         = aws_s3_bucket_object.lambda_node_modules_prod.key
  source_code_hash               = data.archive_file.lambda_node_modules_prod.output_base64sha256
  timeout                        = 900

  tracing_config 
    mode = "PassThrough"
  


和角色

resource "aws_iam_role_policy_attachment" "lambda_policy" 
  role       = aws_iam_role.lambda_exec.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"


resource "aws_iam_role" "lambda_exec" 
  name    = "api_gateway_role"

  assume_role_policy = jsonencode(
    "Version": "2012-10-17",
  "Statement": [
    
      "Sid": "",
      "Effect": "Allow",
      "Principal": 
        "Service": [
          "apigateway.amazonaws.com",
          "lambda.amazonaws.com"
          ]
      ,
      "Action": "sts:AssumeRole"
    
  ]
  )

然后是权限

resource "aws_lambda_permission" "prod_api_gtw" 
  statement_id  = "AllowExecutionFromApiGateway"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.prod_options.function_name 
  principal     = "apigateway.amazonaws.com"

  source_arn = "$aws_apigatewayv2_api.gateway_prod.execution_arn/*/*"


在我部署并尝试调用 url 后,我得到以下错误

"integrationErrorMessage": "在集成或 API Gateway 上配置的 IAM 角色没有调用集成的权限。请检查权限并重试。",

我已经被这个问题困扰了一段时间了。我该如何解决这个错误?

【问题讨论】:

您的错误表明 API Gateway 已成功承担角色,但该角色没有调用您的 lambda 的权限。你确定你的最后一个权限块是正确的吗?我会尝试授予它调用任何 lambda 的权限,如果这解决了您的问题,您可以弄清楚如何正确指定您需要的 lambda 【参考方案1】:

您可能必须创建一个Lambda permission 以允许从 API 网关资源执行:

resource "aws_lambda_permission" "apigw_lambda" 
  statement_id  = "AllowExecutionFromAPIGateway"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.layout_editor_prod_options.function_name
  principal     = "apigateway.amazonaws.com"

  # The /*/*/* part allows invocation from any stage, method and resource path
  # within API Gateway REST API.
  source_arn = "$aws_api_gateway_rest_api.rest_api.execution_arn/*/*/*"

另外,对于 Lambda lambda_exec,您不需要 apigateway.amazonaws.com 主体。我们不需要这个的原因是 execution role 应用于该函数并允许它与其他 AWS 服务交互。另一方面,这不允许 API 网关做任何事情,因为我们需要一个 Lambda permission。

resource "aws_iam_role" "lambda_exec" 
  name = "lambda_exec_role"

  assume_role_policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": "sts:AssumeRole",
      "Principal": 
        "Service": "lambda.amazonaws.com"
      ,
      "Effect": "Allow",
      "Sid": ""
    
  ]

EOF

另一方面,我会向 Lambda 执行角色添加一个策略,以便能够登录到 CloudWatch。这可能对进一步调试有用:

resource "aws_iam_policy" "lambda_logging" 
  name        = "lambda_logging"
  path        = "/"
  description = "IAM policy for logging from a lambda"

  policy = <<EOF

  "Version": "2012-10-17",
  "Statement": [
    
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow"
    
  ]

EOF


resource "aws_iam_role_policy_attachment" "lambda_logs" 
  role       = aws_iam_role.lambda_exec.name
  policy_arn = aws_iam_policy.lambda_logging.arn

【讨论】:

以上是关于如何解决“在集成或 API 网关上配置的 IAM 角色没有调用集成的权限的主要内容,如果未能解决你的问题,请参考以下文章

如何解决 Ajax 跨域请求不到的问题

如何解决包冲突问题

如何解决包冲突问题

如何解决ajax跨域问题

MySQL 的 10048问题,如何解决?

如何解决smartgit的冲突问题