我在賬戶 A 中有代碼構建,并且 Buildspec 包含更新位于賬戶 B 中的 lambda 函式的步驟。請注意,S3 包含 zip 檔案,而 S3 位于賬戶 A 中。
附加到 codebuild 的角色是 roleA。
假設我們有兩個角色:
- 賬戶A中的角色A
- 帳戶 B 中的角色 B
roleA 信任關系政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
將策略附加到角色 A:
- S3完全訪問
- 代碼構建策略
- Lambda 完全訪問
- 交叉賬戶策略
跨賬戶策略:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNTID_B:role/roleB"
}
}
roleB 信任關系政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID_A:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
將策略附加到角色 B:
- AWSLambda_FullAccess
當我運行 codebuild 時,出現以下錯誤:
An error occurred (AccessDeniedException) when calling the UpdateFunctionCode operation: User: arn:aws:sts::ACCOUNTID_A:assumed-role/roleA/AWSCodeBuild-01f59836-f3e4-9732-d910-ff40967882f9 is not authorized to perform: lambda:UpdateFunctionCode on resource: arn:aws:lambda:us-west-1:ACCOUNTID_B:function:lambdafunctionhere because no resource-based policy allows the lambda:UpdateFunctionCode action
構建規范檔案:
version: 0.2
phases:
build:
commands:
- aws --version
- aws lambda update-function-code --function-name arn:aws:lambda:us-west-1:ACCOUNTID_B:function:lambdafunctionnamehere --s3-bucket s3_zip_accountA --s3-key Lambda/package.zip
uj5u.com熱心網友回復:
您可以向 lambda 函式添加資源策略(這與 IAM 策略不同):
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "AllowUpdateFunction",
"Effect": "Allow",
"Principal": {
"AWS": "ARN of code build role"
},
"Action": "lambda:UpdateFunctionCode",
"Resource": "<ARN of lambda function>"
}
]
}
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/374054.html
標籤:亚马逊网络服务 亚马逊-s3 aws-lambda 亚马逊 aws-codebuild
上一篇:為這個S3函式撰寫單元測驗
下一篇:將字典內容寫入以鍵為檔案名的檔案