Terraform -如何附加IAM角色来调用Lambda到API网关
Terraform -如何附加IAM角色来调用Lambda到API网关
提问于 2018-08-13 00:58:27
问题
如何通过lambda调用将可假设的角色附加到API网关API或所有方法?
为AWS Lambda函数创建API网关API告诉您附加一个IAM策略来调用Lambda:
这意味着,至少您必须将以下IAM策略附加到API网关的IAM角色中,以承担此策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "*"
}
]
} API网关可假设的角色是具有下列受信任关系的IAM角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
} 研究
它看起来权限可以在每个方法基础上附加,但不确定是否有一种方法能够调用任何方法"*“。
更新
Api网关无法调用Lambda函数告诉每个方法/函数从UI附加的一种方法。
回答 2
Stack Overflow用户
发布于 2018-08-13 02:49:01
就像在为API网关REST指定Lambda权限中一样,将source_arn设置为API的execution_arn。
resource "aws_lambda_permission" "apigw" {
statement_id = "AllowAPIGatewayInvoke"
action = "lambda:InvokeFunction"
function_name = "${aws_lambda_function.example.arn}"
principal = "apigateway.amazonaws.com"
#--------------------------------------------------------------------------------
# Per deployment
#--------------------------------------------------------------------------------
# The /*/* grants access from any method on any resource within the deployment.
# source_arn = "${aws_api_gateway_deployment.test.execution_arn}/*/*"
#--------------------------------------------------------------------------------
# Per API
#--------------------------------------------------------------------------------
# The /*/*/* part allows invocation from any stage, method and resource path
# within API Gateway REST API.
source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/*/*/*"
}Stack Overflow用户
发布于 2018-08-21 13:02:26
resource "aws_api_gateway_rest_api" "api_gw" {
name = "your-api-gw-name"
description = "your api gateway description"
}
data "aws_caller_identity" "current" {}
resource "aws_lambda_permission" "lambda_permission" {
statement_id = "AllowExecutionFromAPIGateway"
action = "lambda:InvokeFunction"
#your lambda function ARN
function_name = "arn:aws:lambda:${var.aws_region}:${data.aws_caller_identity.current.account_id}:function:lambda-function-name"
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:${var.aws_region}:${data.aws_caller_identity.current.account_id}:${aws_api_gateway_rest_api.api_gw.id}/*/POST/"
}注意:-在variable.tf文件中使用区域值声明aws_region变量。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/51814038
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号