我正在尝试设置我的 Lambda 以访问我Mongo server的EC2 instances in VPC. 选择所有subnetsand后security groups,保存时出现以下错误“您无权执行:CreateNetworkInterface。 ”
我相信,我需要某种策略设置AWS IAM来允许这样做。
我有“AdministratorAccess”,我正在尝试将 IAM 角色添加到我的帐户。
有谁知道policy/role我需要什么?
问问题
15331 次
2 回答
20
明白了!!!如果错误消息显示“此Lambda 函数无权执行:CreateNetworkInterface”,那么需要使用适当的策略修改 Lambda 角色会更有意义。通过将策略添加到 Lambda 使用的角色来解决问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"autoscaling:CompleteLifecycleAction"
]
}
]
}
于 2016-02-12T17:48:36.687 回答
15
有必要为 lambda 提供策略操作:
NetworkLambdaRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "Network-Lambda-Role"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
-
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "network-lambda-role-policy"
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: "Allow"
Action: [
"ec2:DescribeInstances",
"ec2:CreateNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface"
]
Resource: "*"
注意:blueskin 的回答缺少政策ec2:DeleteNetworkInterfaces
于 2018-01-16T12:04:18.773 回答