使用 yaml 云形成,我在 AWS::ApiGateway::RestApi 上配置了一個 lambda AWS::ApiGateway::Authorizer。我已經通過控制臺成功測驗了授權方和網關 API 方法,但是當我使用 curl 訪問部署的 api 時,它失敗并顯示狀態碼 500:
< HTTP/2 500
< content-type: application/json
< content-length: 16
< date: Fri, 25 Mar 2022 09:45:06 GMT
< x-amzn-requestid: 07f7793c-406c-44c2-b184-dbbfd3f2a4fc
< x-amzn-errortype: AuthorizerConfigurationException
< x-amz-apigw-id: PiNNVFTTPHcFwyA=
< x-cache: Error from cloudfront
我在 API-Gateway-Execution 日志中看到了這個錯誤:
Execution failed due to configuration error: API Gateway does not have permission to assume the provided role arn:aws:iam::XXXXXXXXXXXX:role/auth
Execution failed due to configuration error: Authorizer error
據我了解,API Gateway 正在嘗試執行 lambda 授權方,但沒有信任關系允許它執行 lambda,盡管因此被授予所述信任:
lambdaAuthorizerFunctionRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: auth
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
# allow lambda and apigateway to assume the policies attached to this role
Service: [ lambda.amazonaws.com, apigateway.amazonaws.com ]
Action: sts:AssumeRole
Policies:
...
有人可以向我解釋我在這里做錯了什么嗎?任何幫助將非常感激。
更新:
謝謝馬爾辛。這解決了這個問題,讓我擺脫了漫長而孤獨的努力。
The error API-Gateway-Execution log message misled me. It states that 'API Gateway does not have permission to assume the provided role', which, in the absence of any meaningful AWS documentation, I took to mean that it required a trust relationship brought by an AssumeRolePolicyDocument in an AWS::IAM::Role.
This issue was particularly difficult to resolve, since I could not find a clear explanation for exactly what the missing permission was, given that it could refer missing 'AuthorizerCredentials' in the 'AWS::ApiGateway::Authorizer'. I'd tried adding permissions there to no effect. In my working solution, I have removed the AuthorizerCredentials altogether. It's not clear to me what those credentials are actually for, since they were not needed. Adding them didn't hurt, but didn't solve the problem.
I thought the missing permissions might also have to do with the authorizer lambda's AssumeRolePolicyDocument not granting trust to apigateway.amazonaws.com as mentioned elsewhere. But no. Only lambda.amazonaws.com is required as the Principal, as is usually the case.
Lastly, I note that this problem was exacerbated by the fact that the Cloud Formation update-stack operation silently fails to update the authorizer: While debugging, removing the authorizer from the AWS::ApiGateway::RestApi and the AWS::ApiGateway::Methods' AuthorizerId properties silently left the authorizer in tact. That is, with the authorizer removed by the update, I still experienced the 'API Gateway does not have permission to assume the provided role' error. Deleting and recreating the stack overcame this blockage.
uj5u.com熱心網友回復:
允許 API 呼叫您的函式的首選方式是通過AWS::Lambda::Permission,而不是 IAM 角色。因此,您可以創建如下內容:
permission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: apigateway.amazonaws.com
SourceArn: <arn:aws:execute-api:region>:<accountid>:<api_id>/authorizers/<authorizer_id>
轉載請註明出處,本文鏈接:https://www.uj5u.com/qiye/450572.html
標籤:amazon-web-services aws-lambda 亚马逊云形成 aws-api-网关 lambda授权人
